Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package ca.nrc.cadc.ac.server.web.users;
import java.security.AccessControlException;
import java.util.Collection;
import java.util.HashSet;
import org.easymock.EasyMock;
import org.junit.Test;
import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.server.GroupDetailSelector;
import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence;
import ca.nrc.cadc.auth.HttpPrincipal;
import static org.junit.Assert.fail;
import static org.junit.Assert.assertTrue;
public class UserLoginServletTest
{
@Test
public void getCheckCanImpersonate() throws Throwable
{
LoginServlet ls = new LoginServlet()
{
/**
*
*/
private static final long serialVersionUID = 1L;
@Override
protected LdapGroupPersistence<HttpPrincipal> getLdapGroupPersistence()
{
proxyGroup = "proxyGroup";
nonImpersonGroup = "niGroup";
Collection<Group> proxyGroups = new HashSet<Group>();
proxyGroups.add(new Group(proxyGroup));
Collection<Group> niGroups = new HashSet<Group>();
niGroups.add(new Group(nonImpersonGroup));
LdapGroupPersistence<HttpPrincipal> mockGp = EasyMock
.createMock(LdapGroupPersistence.class);
mockGp.setDetailSelector(new GroupDetailSelector()
{
@Override
public boolean isDetailedSearch(Group g, Role r)
{
return false;
}
});
try
{
EasyMock.expect(
mockGp.getGroups(new HttpPrincipal("proxyUser"),
Role.MEMBER, proxyGroup)).andReturn(
proxyGroups);
EasyMock.expect(
mockGp.getGroups(new HttpPrincipal("nonProxyUser"),
Role.MEMBER, proxyGroup)).andReturn(
new HashSet<Group>());
EasyMock.expect(
mockGp.getGroups(new HttpPrincipal("user"),
Role.MEMBER, nonImpersonGroup)).andReturn(
new HashSet<Group>());
EasyMock.expect(
mockGp.getGroups(new HttpPrincipal("niUser"),
Role.MEMBER, nonImpersonGroup)).andReturn(
niGroups);
EasyMock.replay(mockGp);
} catch (Exception e)
{
throw new RuntimeException(e);
}
return mockGp;
}
};
// proxyUser can impersonate user
ls.checkCanImpersonate("user", "proxyUser");
// nonProxyUser cannot impersonate
try
{
ls.checkCanImpersonate("user", "nonProxyUser");
fail("AccessControlException expected");
} catch (AccessControlException ex)
{
assertTrue(ex.getMessage().contains("not allowed to impersonate"));
}
// niUser cannot be impersonated
try
{
ls.checkCanImpersonate("niUser", "proxyUser");
fail("AccessControlException expected");
} catch (AccessControlException ex)
{
assertTrue(ex.getMessage().contains("non impersonable"));
}
// nonProxyUser cannot impersonate and niUser cannot be impersonated
try
{
ls.checkCanImpersonate("niUser", "nonProxyUser");
fail("AccessControlException expected");
} catch (AccessControlException ex)
{
assertTrue(ex.getMessage().contains("not allowed to impersonate"));
}
}
}