@Test
public void createAuthenticatableResource_notAuthorized_shouldFail() {
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
final char[] password = generateUniquePassword();
final String externalId = generateUniqueExternalId();
generateResourceAndAuthenticate();
// attempt to create authenticatable resource without create-permission authorization
try {
accessControlContext.createResource(
resourceClassName, domainName, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource without authorization should fail");
} catch (NotAuthorizedException e) {
assertThat(e.getMessage().toLowerCase(), containsString("create resource"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, externalId, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource without authorization should fail");
} catch (NotAuthorizedException e) {
assertThat(e.getMessage().toLowerCase(), containsString("create resource"));
}
}
@Test
public void createAuthenticatableResource_withExtId_validAsUnauthenticated() {
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, true);
final String permissionName = generateResourceClassPermission(resourceClassName);
final String permissionName2 = generateResourceClassPermission(resourceClassName);
final char[] password = generateUniquePassword();
final String externalId = generateUniqueExternalId();
// (ironically,) set up an authenticatable resource with resource class create permission
final Resource authenticatedResource = generateResourceAndAuthenticate();
grantResourceCreatePermission(authenticatedResource, resourceClassName, domainName);
final ResourcePermission implicitResourcePermission =
ResourcePermissions.getInstance(permissionName);
final ResourcePermission implicitResourcePermission2 =
ResourcePermissions.getInstance(permissionName2);
Set<Resource> resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, implicitResourcePermission);
assertThat(resourcesByPermission.isEmpty(), is(true));
Set<Resource> resourcesByPermission2 =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, implicitResourcePermission2);
assertThat(resourcesByPermission2.isEmpty(), is(true));
// create resource while unauthenticated and verify
accessControlContext.unauthenticate();
final Resource resource =
accessControlContext.createResource(
resourceClassName, domainName, externalId, PasswordCredentials.newInstance(password));
assertThat(resource, is(not(nullValue())));
assertThat(resource.getExternalId(), is(externalId));
// re-authenticate as System Resource (because we don't have the previous credentials) and
// verify created resource
authenticateSystemResource();
assertThat(accessControlContext.getDomainNameByResource(resource), is(domainName));
final ResourceClassInfo resourceClassInfo =
accessControlContext.getResourceClassInfoByResource(resource);
assertThat(resourceClassInfo.getResourceClassName(), is(resourceClassName));
// verify resource created while unauthenticated gets *ALL* available resource class permissions
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
SYS_RESOURCE, resourceClassName, implicitResourcePermission);
assertThat(resourcesByPermission.size(), is(1));
resourcesByPermission2 =
accessControlContext.getResourcesByResourcePermissions(
SYS_RESOURCE, resourceClassName, implicitResourcePermission2);
assertThat(resourcesByPermission2.size(), is(1));
// verify we can authenticate
accessControlContext.authenticate(resource, PasswordCredentials.newInstance(password));
}
@Test
public void getResourceClassInfoByResource_nonExistentReferences_shouldFail() {
authenticateSystemResource();
final char[] password = generateUniquePassword();
final Resource accessorResource = generateAuthenticatableResource(password);
generateResourceClass(false, false);
// authenticate and verify
accessControlContext.authenticate(accessorResource, PasswordCredentials.newInstance(password));
try {
accessControlContext.getResourceClassInfoByResource(Resources.getInstance(-999L));
fail("getting resource class info by resource for non-existent resource should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("not found"));
}
try {
accessControlContext.getResourceClassInfoByResource(Resources.getInstance("invalid"));
fail(
"getting resource class info by resource for non-existent external resource reference should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("not found"));
}
try {
accessControlContext.getResourceClassInfoByResource(Resources.getInstance(-999L, "invalid"));
fail(
"getting resource class info by resource for mismatched internal/external resource ids should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("not resolve"));
}
}
@Test
public void getResourceClassInfoByResource_nulls() {
final char[] password = generateUniquePassword();
final Resource accessorResource = generateAuthenticatableResource(password);
generateResourceClass(false, false);
// authenticate and verify
accessControlContext.authenticate(accessorResource, PasswordCredentials.newInstance(password));
try {
accessControlContext.getResourceClassInfoByResource(null);
fail("getting resource class info by resource for null resource should have failed");
} catch (NullPointerException e) {
assertThat(e.getMessage().toLowerCase(), containsString("resource required"));
}
try {
accessControlContext.getResourceClassInfoByResource(Resources.getInstance(null));
fail(
"getting resource class info by resource for null internal/external resource ids should have failed");
} catch (IllegalArgumentException e) {
assertThat(
e.getMessage().toLowerCase(),
containsString("resource id and/or external id is required"));
}
}
@Test
public void createAuthenticatableResource_nonExistentReferences_shouldFail() {
authenticateSystemResource();
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
final char[] password = generateUniquePassword();
final String externalId = generateUniqueExternalId();
// attempt to create authenticatable resources with non-existent references to class or domain
// names
try {
accessControlContext.createResource(
"does_not_exist", domainName, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with non-existent resource class name should fail");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("could not find resource class"));
}
try {
accessControlContext.createResource(
"does_not_exist", domainName, externalId, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with non-existent resource class name should fail");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("could not find resource class"));
}
try {
accessControlContext.createResource(
resourceClassName, "does_not_exist", PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with non-existent domain name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("could not find domain"));
}
try {
accessControlContext.createResource(
resourceClassName,
"does_not_exist",
externalId,
PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with non-existent domain name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("could not find domain"));
}
}
@Test
public void createAuthenticatableResource_withExtId_validAsAuthorized() {
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
final char[] password = generateUniquePassword();
final char[] passwordBase = generateUniquePassword();
final char[] shortPwd = (passwordBase + "123").substring(0, 3).toCharArray();
final char[] whitespacedPwd = (" " + passwordBase + "\t").toCharArray();
final String externalId = generateUniqueExternalId();
// (ironically,) set up an authenticatable resource with resource class create permission
final Resource authenticatedResource = generateResourceAndAuthenticate();
final String permissionName = generateResourceClassPermission(resourceClassName);
final ResourcePermission grantedResourcePermission =
ResourcePermissions.getInstance(permissionName);
grantResourceCreatePermission(
authenticatedResource, resourceClassName, domainName, permissionName);
Set<Resource> resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, grantedResourcePermission);
assertThat(resourcesByPermission.isEmpty(), is(true));
// create resource and verify
final Resource resource =
accessControlContext.createResource(
resourceClassName, domainName, externalId, PasswordCredentials.newInstance(password));
assertThat(resource, is(not(nullValue())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(1));
assertThat(accessControlContext.getDomainNameByResource(resource), is(domainName));
final ResourceClassInfo resourceClassInfo =
accessControlContext.getResourceClassInfoByResource(resource);
assertThat(resourceClassInfo.getResourceClassName(), is(resourceClassName));
assertThat(resource.getExternalId(), is(externalId));
// verify we can authenticate
accessControlContext.authenticate(resource, PasswordCredentials.newInstance(password));
}
@Test
public void createAuthenticatableResource_validAsSystemResource() {
authenticateSystemResource();
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
final char[] password = generateUniquePassword();
// create resource and verify
final Resource resource =
accessControlContext.createResource(
resourceClassName, domainName, PasswordCredentials.newInstance(password));
assertThat(resource, is(not(nullValue())));
accessControlContext.authenticate(resource, PasswordCredentials.newInstance(password));
assertThat(accessControlContext.getDomainNameByResource(resource), is(domainName));
final ResourceClassInfo resourceClassInfo =
accessControlContext.getResourceClassInfoByResource(resource);
assertThat(resourceClassInfo.getResourceClassName(), is(resourceClassName));
}
@Test
public void createAuthenticatableResource_unauthenticatableResourceClass_shouldFail() {
authenticateSystemResource();
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(false, false);
final char[] password = generateUniquePassword();
// attempt to create authenticatable resource for unauthenticatable resource class
try {
accessControlContext.createResource(
resourceClassName, domainName, PasswordCredentials.newInstance(password));
fail(
"creating authenticatable resource for unauthenticatable resource class name should have failed");
} catch (IllegalArgumentException e) {
assertThat(
e.getMessage().toLowerCase(), containsString("credentials not supported, but specified"));
}
}
@Test
public void getResourceClassInfoByResource_validAsSystemResource() {
authenticateSystemResource();
generateUnauthenticatableResource();
final String resourceClassName = generateResourceClass(true, false);
final Resource queriedResource =
accessControlContext.createResource(
resourceClassName,
accessControlContext.getDomainNameByResource(SYS_RESOURCE),
PasswordCredentials.newInstance(generateUniquePassword()));
// verify
final ResourceClassInfo resourceClassInfo =
accessControlContext.getResourceClassInfoByResource(queriedResource);
assertThat(resourceClassInfo, is(not(nullValue())));
assertThat(resourceClassInfo.getResourceClassName(), is(resourceClassName));
assertThat(resourceClassInfo.isAuthenticatable(), is(true));
assertThat(resourceClassInfo.isUnauthenticatedCreateAllowed(), is(false));
}
@Test
public void createAuthenticatableResource_invalidPassword_shouldFail() {
authenticateSystemResource();
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
// attempt to create authenticatable resource with invalid passwords
try {
accessControlContext.createResource(resourceClassName, domainName, (Credentials) null);
fail("creating authenticatable resource with null credentials should have failed");
} catch (NullPointerException e) {
assertThat(e.getMessage().toLowerCase(), containsString("credentials required"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, PasswordCredentials.newInstance(null));
fail("creating authenticatable resource with null password should have failed");
} catch (InvalidCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("password required, none specified"));
}
}
@Test
public void createAuthenticatableResource_duplicateExternalId_shouldFail() {
authenticateSystemResource();
final String domainName1 = generateDomain();
final String resourceClassName1 = generateResourceClass(true, false);
final String domainName2 = generateDomain();
final String resourceClassName2 = generateResourceClass(true, false);
final Credentials password = PasswordCredentials.newInstance(generateUniquePassword());
final String externalId = generateUniqueExternalId();
// create resource
final Resource resource =
accessControlContext.createResource(resourceClassName1, domainName1, externalId, password);
assertThat(resource.getExternalId(), is(externalId));
// create resource with same external id and verify
try {
accessControlContext.createResource(resourceClassName2, domainName2, externalId, password);
fail("creating resource with duplicate (i.e. non-unique) external id should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("external id is not unique"));
}
}
@Test
public void createAuthenticatableResource_blankNames_shouldFail() {
authenticateSystemResource();
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
final char[] password = generateUniquePassword();
final String externalId = generateUniqueExternalId();
// attempt to create authenticatable resources with empty or whitespaced parameters
try {
accessControlContext.createResource(
"", domainName, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty resource class name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("resource class required"));
}
try {
accessControlContext.createResource(
"", domainName, externalId, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty resource class name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("resource class required"));
}
try {
accessControlContext.createResource(
" \t", domainName, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty resource class name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("resource class required"));
}
try {
accessControlContext.createResource(
" \t", domainName, externalId, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty resource class name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("resource class required"));
}
try {
accessControlContext.createResource(
resourceClassName, "", PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty domain name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("domain required"));
}
try {
accessControlContext.createResource(
resourceClassName, "", externalId, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty domain name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("domain required"));
}
try {
accessControlContext.createResource(
resourceClassName, " \t", PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty domain name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("domain required"));
}
try {
accessControlContext.createResource(
resourceClassName, " \t", externalId, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty domain name should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("domain required"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, "", PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty external id should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("external id required"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, " \t", PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with empty external id should have failed");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("external id required"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, PasswordCredentials.newInstance("".toCharArray()));
fail("creating authenticatable resource with empty password should have failed");
} catch (InvalidCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("password cannot be zero length"));
}
try {
accessControlContext.createResource(
resourceClassName,
domainName,
externalId,
PasswordCredentials.newInstance("".toCharArray()));
fail("creating authenticatable resource with empty password should have failed");
} catch (InvalidCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("password cannot be zero length"));
}
try {
accessControlContext.createResource(
resourceClassName,
domainName,
externalId,
PasswordCredentials.newInstance(" \t".toCharArray()));
fail("creating authenticatable resource with empty password should have failed");
} catch (InvalidCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("password cannot be blank"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, PasswordCredentials.newInstance(" \t".toCharArray()));
fail("creating authenticatable resource with empty password should have failed");
} catch (InvalidCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("password cannot be blank"));
}
}
@Test
public void createAuthenticatableResource_nulls_shouldFail() {
authenticateSystemResource();
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
final char[] password = generateUniquePassword();
final String externalId = generateUniqueExternalId();
// attempt to create resources with null parameters
try {
accessControlContext.createResource(
null, domainName, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with null resource class name should have failed");
} catch (NullPointerException e) {
assertThat(e.getMessage().toLowerCase(), containsString("resource class required"));
}
try {
accessControlContext.createResource(
null, domainName, externalId, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with null resource class name should have failed");
} catch (NullPointerException e) {
assertThat(e.getMessage().toLowerCase(), containsString("resource class required"));
}
try {
accessControlContext.createResource(
resourceClassName, null, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with null domain name should have failed");
} catch (NullPointerException e) {
assertThat(e.getMessage().toLowerCase(), containsString("domain required"));
}
try {
accessControlContext.createResource(
resourceClassName, null, externalId, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with null domain name should have failed");
} catch (NullPointerException e) {
assertThat(e.getMessage().toLowerCase(), containsString("domain required"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, null, PasswordCredentials.newInstance(password));
fail("creating authenticatable resource with null external id should have failed");
} catch (NullPointerException e) {
assertThat(e.getMessage().toLowerCase(), containsString("external id required"));
}
try {
accessControlContext.createResource(resourceClassName, domainName, (Credentials) null);
fail("creating authenticatable resource with null credentials should have failed");
} catch (NullPointerException e) {
assertThat(
e.getMessage().toLowerCase(), containsString("credentials required, none specified"));
}
try {
accessControlContext.createResource(resourceClassName, domainName, externalId, null);
fail("creating authenticatable resource with null credentials should have failed");
} catch (NullPointerException e) {
assertThat(
e.getMessage().toLowerCase(), containsString("credentials required, none specified"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, PasswordCredentials.newInstance(null));
fail("creating authenticatable resource with null password should have failed");
} catch (InvalidCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("password required, none specified"));
}
try {
accessControlContext.createResource(
resourceClassName, domainName, externalId, PasswordCredentials.newInstance(null));
fail("creating authenticatable resource with null password should have failed");
} catch (InvalidCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("password required, none specified"));
}
}
@Test
public void createAuthenticatableResource_caseSensitiveConsistent_duplicateExternalId() {
authenticateSystemResource();
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
final String permissionName = generateUniquePermissionName();
final Credentials password = PasswordCredentials.newInstance(generateUniquePassword());
final String externalId = generateUniqueExternalId();
final String externalId_lower = externalId + "_eee";
final String externalId_UPPER = externalId + "_EEE";
accessControlContext.createResourcePermission(resourceClassName, permissionName);
// set up an authenticatable resource with resource class create permission
// so that we can look up the resources later via that permission
final Resource authenticatedResource = generateResourceAndAuthenticate();
grantResourceCreatePermission(
authenticatedResource, resourceClassName, domainName, permissionName);
final ResourcePermission grantedResourcePermission =
ResourcePermissions.getInstance(permissionName);
Set<Resource> resourcesByPermission;
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, grantedResourcePermission);
assertThat(resourcesByPermission.isEmpty(), is(true));
// check case sensitivity
if (isDatabaseCaseSensitive()) {
// create resource
final Resource resource =
accessControlContext.createResource(
resourceClassName, domainName, externalId_lower, password);
assertThat(resource.getExternalId(), is(externalId_lower));
// create resource with same but case-sensitive external id and verify
final Resource resource2 =
accessControlContext.createResource(
resourceClassName, domainName, externalId_UPPER, password);
assertThat(resource2.getExternalId(), is(externalId_UPPER));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(2));
} else {
// create resource
final Resource resource =
accessControlContext.createResource(
resourceClassName, domainName, externalId_lower, password);
assertThat(resource.getExternalId(), is(externalId_lower));
// create resource with same but case-insensitive external id and verify
try {
accessControlContext.createResource(
resourceClassName, domainName, externalId_UPPER, password);
fail(
"creating resource with external id that differs in case should have failed for case-insensitive database");
} catch (IllegalArgumentException e) {
assertThat(e.getMessage().toLowerCase(), containsString("external id is not unique"));
}
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(1));
}
}
@Test
public void createAuthenticatableResource_caseSensitiveConsistent_AsAuthorized() {
authenticateSystemResource();
final String domainBase = generateUniqueDomainName();
final String resourceClassBase = generateUniqueResourceClassName();
final String domain_lower = domainBase + "_ddd";
final String domain_UPPER = domainBase + "_DDD";
final String resourceClass_lower = resourceClassBase + "_ccc";
final String resourceClass_UPPER = resourceClassBase + "_CCC";
final String permissionName = generateUniquePermissionName();
final char[] passwordBase = generateUniquePassword();
final char[] password_lower = (passwordBase + "_pwd").toCharArray();
final char[] password_UPPER = (passwordBase + "_PWD").toCharArray();
accessControlContext.createDomain(domain_lower);
accessControlContext.createResourceClass(resourceClass_lower, true, false);
accessControlContext.createResourcePermission(resourceClass_lower, permissionName);
if (isDatabaseCaseSensitive()) {
accessControlContext.createDomain(domain_UPPER);
accessControlContext.createResourceClass(resourceClass_UPPER, true, false);
accessControlContext.createResourcePermission(resourceClass_UPPER, permissionName);
// set up an authenticatable resource with resource class create permission
// and an extra permission in each domain/class combo, so that we can look up
// the resources later via that permission
final Resource authenticatedResource = generateResourceAndAuthenticate();
grantResourceCreatePermission(
authenticatedResource, resourceClass_lower, domain_lower, permissionName);
grantResourceCreatePermission(
authenticatedResource, resourceClass_lower, domain_UPPER, permissionName);
grantResourceCreatePermission(
authenticatedResource, resourceClass_UPPER, domain_lower, permissionName);
grantResourceCreatePermission(
authenticatedResource, resourceClass_UPPER, domain_UPPER, permissionName);
final ResourcePermission grantedResourcePermission_lower =
ResourcePermissions.getInstance(permissionName);
final ResourcePermission grantedResourcePermission_UPPER =
ResourcePermissions.getInstance(permissionName);
Set<Resource> resourcesByPermission;
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_lower, grantedResourcePermission_lower);
assertThat(resourcesByPermission.isEmpty(), is(true));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_UPPER, grantedResourcePermission_UPPER);
assertThat(resourcesByPermission.isEmpty(), is(true));
// create resources with case-sensitive domain/class names and verify resources get created in
// different domain/classes
final Resource resource_lowlow =
accessControlContext.createResource(
resourceClass_lower, domain_lower, PasswordCredentials.newInstance(password_lower));
assertThat(resource_lowlow, is(not(nullValue())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_lower, grantedResourcePermission_lower);
assertThat(resourcesByPermission.size(), is(1));
final Resource resource_lowUP =
accessControlContext.createResource(
resourceClass_lower, domain_UPPER, PasswordCredentials.newInstance(password_UPPER));
assertThat(resource_lowUP, is(not(nullValue())));
assertThat(resource_lowUP.getId(), is(not(resource_lowlow.getId())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_lower, grantedResourcePermission_lower);
assertThat(resourcesByPermission.size(), is(2));
final Resource resource_UPlow =
accessControlContext.createResource(
resourceClass_UPPER, domain_lower, PasswordCredentials.newInstance(password_lower));
assertThat(resource_UPlow, is(not(nullValue())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_UPPER, grantedResourcePermission_UPPER);
assertThat(resourcesByPermission.size(), is(1));
final Resource resource_UPUP =
accessControlContext.createResource(
resourceClass_UPPER, domain_UPPER, PasswordCredentials.newInstance(password_UPPER));
assertThat(resource_UPUP, is(not(nullValue())));
assertThat(resource_UPUP.getId(), is(not(resource_UPlow.getId())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_UPPER, grantedResourcePermission_UPPER);
assertThat(resourcesByPermission.size(), is(2));
// verify passwords are case-sensitive
accessControlContext.authenticate(
resource_lowlow, PasswordCredentials.newInstance(password_lower));
accessControlContext.authenticate(
resource_UPUP, PasswordCredentials.newInstance(password_UPPER));
try {
accessControlContext.authenticate(
resource_lowlow, PasswordCredentials.newInstance(password_UPPER));
fail(
"authentication of system resource with case-insensitive password should not have succeeded");
} catch (IncorrectCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("invalid password"));
}
try {
accessControlContext.authenticate(
resource_UPUP, PasswordCredentials.newInstance(password_lower));
fail(
"authentication of system resource with case-insensitive password should not have succeeded");
} catch (IncorrectCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("invalid password"));
}
} else {
// set up an authenticatable resource with resource class create permission
// and an extra permission in each domain/class combo, so that we can look up
// the resources later via that permission
final Resource authenticatedResource = generateResourceAndAuthenticate();
grantResourceCreatePermission(
authenticatedResource, resourceClass_lower, domain_lower, permissionName);
final ResourcePermission grantedResourcePermission =
ResourcePermissions.getInstance(permissionName);
Set<Resource> resourcesByPermission;
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_lower, grantedResourcePermission);
assertThat(resourcesByPermission.isEmpty(), is(true));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_UPPER, grantedResourcePermission);
assertThat(resourcesByPermission.isEmpty(), is(true));
// create resources with case-sensitive domain/class names and verify resources get created in
// different domain/classes
final Resource resource_lowlow =
accessControlContext.createResource(
resourceClass_lower, domain_lower, PasswordCredentials.newInstance(password_lower));
assertThat(resource_lowlow, is(not(nullValue())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_lower, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(1));
final Resource resource_lowUP =
accessControlContext.createResource(
resourceClass_lower, domain_UPPER, PasswordCredentials.newInstance(password_UPPER));
assertThat(resource_lowUP, is(not(nullValue())));
assertThat(resource_lowUP.getId(), is(not(resource_lowlow.getId())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_lower, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(2));
final Resource resource_UPlow =
accessControlContext.createResource(
resourceClass_UPPER, domain_lower, PasswordCredentials.newInstance(password_lower));
assertThat(resource_UPlow, is(not(nullValue())));
assertThat(resource_UPlow.getId(), is(not(resource_lowlow.getId())));
assertThat(resource_UPlow.getId(), is(not(resource_lowUP.getId())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_UPPER, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(3));
final Resource resource_UPUP =
accessControlContext.createResource(
resourceClass_UPPER, domain_UPPER, PasswordCredentials.newInstance(password_UPPER));
assertThat(resource_UPUP, is(not(nullValue())));
assertThat(resource_UPUP.getId(), is(not(resource_lowlow.getId())));
assertThat(resource_UPUP.getId(), is(not(resource_lowUP.getId())));
assertThat(resource_UPUP.getId(), is(not(resource_UPlow.getId())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClass_UPPER, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(4));
// verify passwords are case-sensitive
accessControlContext.authenticate(
resource_lowlow, PasswordCredentials.newInstance(password_lower));
accessControlContext.authenticate(
resource_UPUP, PasswordCredentials.newInstance(password_UPPER));
try {
accessControlContext.authenticate(
resource_lowlow, PasswordCredentials.newInstance(password_UPPER));
fail(
"authentication of system resource with case-insensitive password should not have succeeded");
} catch (IncorrectCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("invalid password"));
}
try {
accessControlContext.authenticate(
resource_UPUP, PasswordCredentials.newInstance(password_lower));
fail(
"authentication of system resource with case-insensitive password should not have succeeded");
} catch (IncorrectCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("invalid password"));
}
}
}
@Test
public void createAuthenticatableResource_whitespaceConsistent_AsAuthorized() {
final String domainName = generateDomain();
final String resourceClassName = generateResourceClass(true, false);
final char[] password = generateUniquePassword();
// (ironically,) set up an authenticatable resource with resource class create permission
final Resource authenticatedResource = generateResourceAndAuthenticate();
final String permissionName = generateResourceClassPermission(resourceClassName);
final ResourcePermission grantedResourcePermission =
ResourcePermissions.getInstance(permissionName);
grantResourceCreatePermission(
authenticatedResource, resourceClassName, domainName, permissionName);
Set<Resource> resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, grantedResourcePermission);
assertThat(resourcesByPermission.isEmpty(), is(true));
// create resource with white-spaced names (and pwd) and verify
final String domainName_whitespaced = " " + domainName + "\t";
final String resourceClassName_whitespaced = " " + resourceClassName + "\t";
final char[] password_whitespaced = (" " + password + "\t").toCharArray();
final Resource whitespacedResource =
accessControlContext.createResource(
resourceClassName_whitespaced,
domainName_whitespaced,
PasswordCredentials.newInstance(password));
assertThat(whitespacedResource, is(not(nullValue())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(1));
assertThat(accessControlContext.getDomainNameByResource(whitespacedResource), is(domainName));
// create another resource WITHOUT white-spaced names and pwd
final Resource resource =
accessControlContext.createResource(
resourceClassName, domainName, PasswordCredentials.newInstance(password));
assertThat(resource, is(not(nullValue())));
resourcesByPermission =
accessControlContext.getResourcesByResourcePermissions(
authenticatedResource, resourceClassName, grantedResourcePermission);
assertThat(resourcesByPermission.size(), is(2));
assertThat(resource.getId(), is(not(whitespacedResource.getId())));
assertThat(accessControlContext.getDomainNameByResource(resource), is(domainName));
// verify passwords are whitespace-sensitive
accessControlContext.authenticate(
whitespacedResource, PasswordCredentials.newInstance(password));
accessControlContext.authenticate(resource, PasswordCredentials.newInstance(password));
try {
accessControlContext.authenticate(
whitespacedResource, PasswordCredentials.newInstance(password_whitespaced));
fail(
"authentication of resource with extra leading/trailing password should not have succeeded");
} catch (IncorrectCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("invalid password"));
}
try {
accessControlContext.authenticate(
resource, PasswordCredentials.newInstance(password_whitespaced));
fail(
"authentication of resource with extra leading/trailing password should not have succeeded");
} catch (IncorrectCredentialsException e) {
assertThat(e.getMessage().toLowerCase(), containsString("invalid password"));
}
// verify we can authenticate
accessControlContext.authenticate(resource, PasswordCredentials.newInstance(password));
accessControlContext.authenticate(
whitespacedResource, PasswordCredentials.newInstance(password));
}