@Test
public void testUpdateConfiguration() throws Exception {
// READ request to storage
RequestContext.Builder storageReq =
new RequestContext.Builder()
.requestType(RequestType.READ)
.resourcePath(new ResourcePath("/testApp/storage"));
assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.ACCEPT);
assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.REJECT);
// Find and remove storage rule
RequestContext reqCtx = new RequestContext.Builder();
ResourceState config = client.read(reqCtx, "/admin/applications/testApp/resources/uri-policy");
List<ResourceState> rules =
(List<ResourceState>) config.getProperty(URIPolicyConfigResource.RULES_PROPERTY);
ResourceState storageRule = null;
for (ResourceState rule : rules) {
if (rule.getProperty("uriPattern").equals("/testApp/storage*")) {
storageRule = rule;
break;
}
}
Assert.assertNotNull(storageRule);
rules.remove(storageRule);
// Update config with removed storage rule
client.update(reqCtx, "/admin/applications/testApp/resources/uri-policy", config);
// READ request to storage
assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.IGNORE);
assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.IGNORE);
// Remove section about deniedUsers and add it back
storageRule.removeProperty("deniedUsers");
rules.add(storageRule);
client.update(reqCtx, "/admin/applications/testApp/resources/uri-policy", config);
// READ request to storage now allowed even for 'evil'
assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.ACCEPT);
assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.ACCEPT);
}
@Test
public void testAuthorizationRequest() throws Exception {
// Request to 'client' page
RequestContext.Builder clientReq =
new RequestContext.Builder()
.requestType(RequestType.READ)
.resourcePath(new ResourcePath("/testApp/client/some"));
assertAuthzDecision(clientReq.securityContext(anonymous), AuthzDecision.ACCEPT);
assertAuthzDecision(clientReq.securityContext(user), AuthzDecision.ACCEPT);
assertAuthzDecision(clientReq.securityContext(evil), AuthzDecision.ACCEPT);
// request to /app/some
RequestContext.Builder appReq =
new RequestContext.Builder()
.requestType(RequestType.READ)
.resourcePath(new ResourcePath("/testApp/app/some"));
assertAuthzDecision(appReq.securityContext(anonymous), AuthzDecision.IGNORE);
assertAuthzDecision(appReq.securityContext(user), AuthzDecision.IGNORE);
assertAuthzDecision(appReq.securityContext(evil), AuthzDecision.IGNORE);
// request to /app/some
RequestContext.Builder appIndexReq =
new RequestContext.Builder()
.requestType(RequestType.READ)
.resourcePath(new ResourcePath("/testApp/app/index.html"));
assertAuthzDecision(appIndexReq.securityContext(anonymous), AuthzDecision.ACCEPT);
assertAuthzDecision(appIndexReq.securityContext(user), AuthzDecision.ACCEPT);
assertAuthzDecision(appIndexReq.securityContext(evil), AuthzDecision.ACCEPT);
// READ request to storage
RequestContext.Builder storageReq =
new RequestContext.Builder()
.requestType(RequestType.READ)
.resourcePath(new ResourcePath("/testApp/storage"));
assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.ACCEPT);
assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.REJECT);
// READ some collection in storage
storageReq.resourcePath(new ResourcePath("/testApp/storage/todomvc"));
assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.ACCEPT);
assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.REJECT);
// CREATE request to storage
storageReq.requestType(RequestType.CREATE);
assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.IGNORE);
assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.IGNORE);
}