001/* 002 * Licensed to DuraSpace under one or more contributor license agreements. 003 * See the NOTICE file distributed with this work for additional information 004 * regarding copyright ownership. 005 * 006 * DuraSpace licenses this file to you under the Apache License, 007 * Version 2.0 (the "License"); you may not use this file except in 008 * compliance with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.fcrepo.auth.webac; 019 020import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN; 021import static javax.servlet.http.HttpServletResponse.SC_OK; 022import static org.apache.jena.riot.WebContent.contentTypeSPARQLUpdate; 023import static org.fcrepo.auth.common.ServletContainerAuthFilter.FEDORA_ADMIN_ROLE; 024import static org.fcrepo.auth.common.ServletContainerAuthFilter.FEDORA_USER_ROLE; 025import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_APPEND; 026import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_CONTROL; 027import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_READ; 028import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_WRITE; 029import static org.fcrepo.kernel.api.FedoraTypes.FEDORA_BINARY; 030import static org.junit.Assert.assertEquals; 031import static org.mockito.Mockito.when; 032 033import java.io.IOException; 034import java.net.URI; 035 036import javax.servlet.ServletException; 037 038import org.apache.shiro.SecurityUtils; 039import org.apache.shiro.mgt.SecurityManager; 040import org.apache.shiro.subject.Subject; 041import org.apache.shiro.subject.support.SubjectThreadState; 042import org.fcrepo.http.commons.session.SessionFactory; 043import org.fcrepo.kernel.api.FedoraSession; 044import org.fcrepo.kernel.api.models.FedoraResource; 045import org.fcrepo.kernel.api.services.NodeService; 046import org.fcrepo.kernel.modeshape.ContainerImpl; 047import org.fcrepo.kernel.modeshape.FedoraBinaryImpl; 048import org.junit.After; 049import org.junit.Before; 050import org.junit.Test; 051import org.junit.runner.RunWith; 052import org.mockito.InjectMocks; 053import org.mockito.Mock; 054import org.mockito.Mockito; 055import org.mockito.junit.MockitoJUnitRunner; 056import org.springframework.mock.web.MockFilterChain; 057import org.springframework.mock.web.MockHttpServletRequest; 058import org.springframework.mock.web.MockHttpServletResponse; 059 060/** 061 * @author peichman 062 */ 063@RunWith(MockitoJUnitRunner.Silent.class) 064public class WebACFilterTest { 065 066 private static final String baseURL = "http://localhost"; 067 068 private static final String testPath = "/testUri"; 069 070 private static final String testChildPath = testPath + "/child"; 071 072 private static final String testAclPath = testPath + "/fcr:acl"; 073 074 private static final URI testURI = URI.create(baseURL + testPath); 075 076 private static final URI testAclURI = URI.create(baseURL + testAclPath); 077 078 private static final URI testChildURI = URI.create(baseURL + testChildPath); 079 080 @Mock 081 private SecurityManager mockSecurityManager; 082 083 @Mock 084 private SessionFactory mockSessionFactory; 085 086 @Mock 087 private NodeService mockNodeService; 088 089 private FedoraSession mockFedoraSession; 090 091 private FedoraResource mockContainer; 092 093 private FedoraResource mockBinary; 094 095 @InjectMocks 096 private WebACFilter webacFilter = new WebACFilter(); 097 098 private static final WebACPermission readPermission = new WebACPermission(WEBAC_MODE_READ, testURI); 099 100 private static final WebACPermission appendPermission = new WebACPermission(WEBAC_MODE_APPEND, testURI); 101 102 private static final WebACPermission appendChildPermission = new WebACPermission(WEBAC_MODE_APPEND, testChildURI); 103 104 private static final WebACPermission writePermission = new WebACPermission(WEBAC_MODE_WRITE, testURI); 105 106 private static final WebACPermission controlPermission = new WebACPermission(WEBAC_MODE_CONTROL, testURI); 107 108 private static final WebACPermission readAclPermission = new WebACPermission(WEBAC_MODE_READ, testAclURI); 109 private static final WebACPermission appendAclPermission = new WebACPermission(WEBAC_MODE_APPEND, testAclURI); 110 private static final WebACPermission writeAclPermission = new WebACPermission(WEBAC_MODE_WRITE, testAclURI); 111 private static final WebACPermission controlAclPermission = new WebACPermission(WEBAC_MODE_CONTROL, testAclURI); 112 113 private MockHttpServletRequest request; 114 115 private MockHttpServletResponse response; 116 117 private MockFilterChain filterChain; 118 119 private SubjectThreadState threadState; 120 121 private Subject mockSubject; 122 123 @Before 124 public void setupRequest() { 125 SecurityUtils.setSecurityManager(mockSecurityManager); 126 127 mockSubject = Mockito.mock(Subject.class); 128 threadState = new SubjectThreadState(mockSubject); 129 threadState.bind(); 130 131 request = new MockHttpServletRequest(); 132 response = new MockHttpServletResponse(); 133 filterChain = new MockFilterChain(); 134 135 // set default request URI and path info 136 // for the purposes of this test, there is no context path 137 // so the request URI and path info are the same 138 request.setPathInfo(testPath); 139 request.setRequestURI(testPath); 140 141 mockContainer = Mockito.mock(ContainerImpl.class); 142 mockBinary = Mockito.mock(FedoraBinaryImpl.class); 143 144 when(mockSessionFactory.getInternalSession()).thenReturn(mockFedoraSession); 145 146 when(mockNodeService.exists(mockFedoraSession, testPath)).thenReturn(true); 147 when(mockNodeService.exists(mockFedoraSession, testChildPath)).thenReturn(false); 148 } 149 150 private void setupContainerResource() { 151 when(mockNodeService.find(mockFedoraSession, testPath)).thenReturn(mockContainer); 152 when(mockBinary.hasType(FEDORA_BINARY)).thenReturn(false); 153 } 154 155 private void setupBinaryResource() { 156 when(mockNodeService.find(mockFedoraSession, testPath)).thenReturn(mockBinary); 157 when(mockBinary.hasType(FEDORA_BINARY)).thenReturn(true); 158 } 159 160 private void setupAdminUser() { 161 // admin user 162 when(mockSubject.isAuthenticated()).thenReturn(true); 163 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(true); 164 } 165 166 private void setupAuthUserNoPerms() { 167 // authenticated user without permissions 168 when(mockSubject.isAuthenticated()).thenReturn(true); 169 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(false); 170 when(mockSubject.hasRole(FEDORA_USER_ROLE)).thenReturn(true); 171 when(mockSubject.isPermitted(readPermission)).thenReturn(false); 172 when(mockSubject.isPermitted(appendPermission)).thenReturn(false); 173 when(mockSubject.isPermitted(writePermission)).thenReturn(false); 174 when(mockSubject.isPermitted(controlPermission)).thenReturn(false); 175 176 } 177 178 private void setupAuthUserReadOnly() { 179 // authenticated user with only read permissions 180 when(mockSubject.isAuthenticated()).thenReturn(true); 181 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(false); 182 when(mockSubject.hasRole(FEDORA_USER_ROLE)).thenReturn(true); 183 when(mockSubject.isPermitted(readPermission)).thenReturn(true); 184 when(mockSubject.isPermitted(appendPermission)).thenReturn(false); 185 when(mockSubject.isPermitted(writePermission)).thenReturn(false); 186 when(mockSubject.isPermitted(controlPermission)).thenReturn(false); 187 188 } 189 190 private void setupAuthUserAppendOnly() { 191 // authenticated user with only read permissions 192 when(mockSubject.isAuthenticated()).thenReturn(true); 193 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(false); 194 when(mockSubject.hasRole(FEDORA_USER_ROLE)).thenReturn(true); 195 when(mockSubject.isPermitted(readPermission)).thenReturn(false); 196 when(mockSubject.isPermitted(appendPermission)).thenReturn(true); 197 when(mockSubject.isPermitted(appendChildPermission)).thenReturn(true); 198 when(mockSubject.isPermitted(writePermission)).thenReturn(false); 199 when(mockSubject.isPermitted(controlPermission)).thenReturn(false); 200 201 } 202 203 private void setupAuthUserReadAppend() { 204 // authenticated user with only read permissions 205 when(mockSubject.isAuthenticated()).thenReturn(true); 206 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(false); 207 when(mockSubject.hasRole(FEDORA_USER_ROLE)).thenReturn(true); 208 when(mockSubject.isPermitted(readPermission)).thenReturn(true); 209 when(mockSubject.isPermitted(appendPermission)).thenReturn(true); 210 when(mockSubject.isPermitted(appendChildPermission)).thenReturn(true); 211 when(mockSubject.isPermitted(writePermission)).thenReturn(false); 212 when(mockSubject.isPermitted(controlPermission)).thenReturn(false); 213 } 214 215 private void setupAuthUserReadWrite() { 216 // authenticated user with read and write permissions 217 when(mockSubject.isAuthenticated()).thenReturn(true); 218 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(false); 219 when(mockSubject.hasRole(FEDORA_USER_ROLE)).thenReturn(true); 220 when(mockSubject.isPermitted(readPermission)).thenReturn(true); 221 when(mockSubject.isPermitted(appendPermission)).thenReturn(false); 222 when(mockSubject.isPermitted(writePermission)).thenReturn(true); 223 when(mockSubject.isPermitted(controlPermission)).thenReturn(false); 224 } 225 226 private void setupAuthUserAclControl() { 227 // authenticated user with read and write permissions 228 when(mockSubject.isAuthenticated()).thenReturn(true); 229 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(false); 230 when(mockSubject.hasRole(FEDORA_USER_ROLE)).thenReturn(true); 231 when(mockSubject.isPermitted(readAclPermission)).thenReturn(false); 232 when(mockSubject.isPermitted(appendAclPermission)).thenReturn(false); 233 when(mockSubject.isPermitted(writeAclPermission)).thenReturn(false); 234 when(mockSubject.isPermitted(controlAclPermission)).thenReturn(true); 235 } 236 237 private void setupAuthUserNoAclControl() { 238 // authenticated user with read and write permissions 239 when(mockSubject.isAuthenticated()).thenReturn(true); 240 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(false); 241 when(mockSubject.hasRole(FEDORA_USER_ROLE)).thenReturn(true); 242 when(mockSubject.isPermitted(readAclPermission)).thenReturn(true); 243 when(mockSubject.isPermitted(appendAclPermission)).thenReturn(true); 244 when(mockSubject.isPermitted(writeAclPermission)).thenReturn(true); 245 when(mockSubject.isPermitted(controlAclPermission)).thenReturn(false); 246 } 247 248 private void setupAuthUserReadAppendWrite() { 249 // authenticated user with read and write permissions 250 when(mockSubject.isAuthenticated()).thenReturn(true); 251 when(mockSubject.hasRole(FEDORA_ADMIN_ROLE)).thenReturn(false); 252 when(mockSubject.hasRole(FEDORA_USER_ROLE)).thenReturn(true); 253 when(mockSubject.isPermitted(readPermission)).thenReturn(true); 254 when(mockSubject.isPermitted(appendPermission)).thenReturn(true); 255 when(mockSubject.isPermitted(appendChildPermission)).thenReturn(true); 256 when(mockSubject.isPermitted(writePermission)).thenReturn(true); 257 when(mockSubject.isPermitted(controlPermission)).thenReturn(true); 258 259 } 260 261 @Test 262 public void testAdminUserHead() throws ServletException, IOException { 263 setupAdminUser(); 264 // HEAD => 200 265 request.setMethod("HEAD"); 266 webacFilter.doFilter(request, response, filterChain); 267 assertEquals(SC_OK, response.getStatus()); 268 } 269 270 @Test 271 public void testAdminUserOptions() throws ServletException, IOException { 272 setupAdminUser(); 273 // GET => 200 274 request.setMethod("OPTIONS"); 275 webacFilter.doFilter(request, response, filterChain); 276 assertEquals(SC_OK, response.getStatus()); 277 } 278 279 @Test 280 public void testAdminUserGet() throws ServletException, IOException { 281 setupAdminUser(); 282 // GET => 200 283 request.setMethod("GET"); 284 webacFilter.doFilter(request, response, filterChain); 285 assertEquals(SC_OK, response.getStatus()); 286 } 287 288 @Test 289 public void testAdminUserPost() throws ServletException, IOException { 290 setupAdminUser(); 291 // GET => 200 292 request.setMethod("POST"); 293 webacFilter.doFilter(request, response, filterChain); 294 assertEquals(SC_OK, response.getStatus()); 295 } 296 297 @Test 298 public void testAdminUserPut() throws ServletException, IOException { 299 setupAdminUser(); 300 // GET => 200 301 request.setMethod("PUT"); 302 webacFilter.doFilter(request, response, filterChain); 303 assertEquals(SC_OK, response.getStatus()); 304 } 305 306 @Test 307 public void testAdminUserPatch() throws ServletException, IOException { 308 setupAdminUser(); 309 // GET => 200 310 request.setMethod("PATCH"); 311 webacFilter.doFilter(request, response, filterChain); 312 assertEquals(SC_OK, response.getStatus()); 313 } 314 315 @Test 316 public void testAdminUserDelete() throws ServletException, IOException { 317 setupAdminUser(); 318 // GET => 200 319 request.setMethod("DELETE"); 320 webacFilter.doFilter(request, response, filterChain); 321 assertEquals(SC_OK, response.getStatus()); 322 } 323 324 @Test 325 public void testAuthUserNoPermsHead() throws ServletException, IOException { 326 setupAuthUserNoPerms(); 327 // HEAD => 403 328 request.setMethod("HEAD"); 329 webacFilter.doFilter(request, response, filterChain); 330 assertEquals(SC_FORBIDDEN, response.getStatus()); 331 } 332 333 @Test 334 public void testAuthUserNoPermsOptions() throws ServletException, IOException { 335 setupAuthUserNoPerms(); 336 // GET => 403 337 request.setMethod("OPTIONS"); 338 webacFilter.doFilter(request, response, filterChain); 339 assertEquals(SC_FORBIDDEN, response.getStatus()); 340 } 341 342 @Test 343 public void testAuthUserNoPermsGet() throws ServletException, IOException { 344 setupAuthUserNoPerms(); 345 // GET => 403 346 request.setMethod("GET"); 347 webacFilter.doFilter(request, response, filterChain); 348 assertEquals(SC_FORBIDDEN, response.getStatus()); 349 } 350 351 @Test 352 public void testAuthUserNoPermsPost() throws ServletException, IOException { 353 setupAuthUserNoPerms(); 354 setupContainerResource(); 355 // POST => 403 356 request.setMethod("POST"); 357 webacFilter.doFilter(request, response, filterChain); 358 assertEquals(SC_FORBIDDEN, response.getStatus()); 359 } 360 361 @Test 362 public void testAuthUserNoPermsPut() throws ServletException, IOException { 363 setupAuthUserNoPerms(); 364 // PUT => 403 365 request.setMethod("PUT"); 366 webacFilter.doFilter(request, response, filterChain); 367 assertEquals(SC_FORBIDDEN, response.getStatus()); 368 } 369 370 @Test 371 public void testAuthUserNoPermsPatch() throws ServletException, IOException { 372 setupAuthUserNoPerms(); 373 // PATCH => 403 374 request.setMethod("PATCH"); 375 webacFilter.doFilter(request, response, filterChain); 376 assertEquals(SC_FORBIDDEN, response.getStatus()); 377 } 378 379 @Test 380 public void testAuthUserNoPermsDelete() throws ServletException, IOException { 381 setupAuthUserNoPerms(); 382 // DELETE => 403 383 request.setMethod("DELETE"); 384 webacFilter.doFilter(request, response, filterChain); 385 assertEquals(SC_FORBIDDEN, response.getStatus()); 386 } 387 388 @Test 389 public void testAuthUserReadOnlyHead() throws ServletException, IOException { 390 setupAuthUserReadOnly(); 391 // HEAD => 200 392 request.setMethod("HEAD"); 393 webacFilter.doFilter(request, response, filterChain); 394 assertEquals(SC_OK, response.getStatus()); 395 } 396 397 @Test 398 public void testAuthUserReadOnlyOptions() throws ServletException, IOException { 399 setupAuthUserReadOnly(); 400 // GET => 200 401 request.setMethod("OPTIONS"); 402 webacFilter.doFilter(request, response, filterChain); 403 assertEquals(SC_OK, response.getStatus()); 404 } 405 406 @Test 407 public void testAuthUserReadOnlyGet() throws ServletException, IOException { 408 setupAuthUserReadOnly(); 409 // GET => 200 410 request.setMethod("GET"); 411 webacFilter.doFilter(request, response, filterChain); 412 assertEquals(SC_OK, response.getStatus()); 413 } 414 415 @Test 416 public void testAuthUserReadOnlyPost() throws ServletException, IOException { 417 setupAuthUserReadOnly(); 418 setupContainerResource(); 419 // POST => 403 420 request.setMethod("POST"); 421 webacFilter.doFilter(request, response, filterChain); 422 assertEquals(SC_FORBIDDEN, response.getStatus()); 423 } 424 425 @Test 426 public void testAuthUserReadOnlyPut() throws ServletException, IOException { 427 setupAuthUserReadOnly(); 428 // PUT => 403 429 request.setMethod("PUT"); 430 webacFilter.doFilter(request, response, filterChain); 431 assertEquals(SC_FORBIDDEN, response.getStatus()); 432 } 433 434 @Test 435 public void testAuthUserReadOnlyPatch() throws ServletException, IOException { 436 setupAuthUserReadOnly(); 437 // PATCH => 403 438 request.setMethod("PATCH"); 439 webacFilter.doFilter(request, response, filterChain); 440 assertEquals(SC_FORBIDDEN, response.getStatus()); 441 } 442 443 @Test 444 public void testAuthUserReadOnlyDelete() throws ServletException, IOException { 445 setupAuthUserReadOnly(); 446 // DELETE => 403 447 request.setMethod("DELETE"); 448 webacFilter.doFilter(request, response, filterChain); 449 assertEquals(SC_FORBIDDEN, response.getStatus()); 450 } 451 452 @Test 453 public void testAuthUserReadAppendPatchNonSparqlContent() throws ServletException, IOException { 454 setupAuthUserReadAppend(); 455 // PATCH (Non Sparql Content) => 403 456 request.setRequestURI(testPath); 457 request.setMethod("PATCH"); 458 webacFilter.doFilter(request, response, filterChain); 459 assertEquals(SC_FORBIDDEN, response.getStatus()); 460 } 461 462 @Test 463 public void testAuthUserReadAppendPatchSparqlNoContent() throws ServletException, IOException { 464 setupAuthUserReadAppend(); 465 // PATCH (Sparql No Content) => 200 (204) 466 request.setContentType(contentTypeSPARQLUpdate); 467 request.setRequestURI(testPath); 468 request.setMethod("PATCH"); 469 webacFilter.doFilter(request, response, filterChain); 470 assertEquals(SC_OK, response.getStatus()); 471 } 472 473 @Test 474 public void testAuthUserReadAppendPatchSparqlInvalidContent() throws ServletException, IOException { 475 setupAuthUserReadAppend(); 476 // PATCH (Sparql Invalid Content) => 403 477 request.setContentType(contentTypeSPARQLUpdate); 478 request.setContent("SOME TEXT".getBytes()); 479 request.setRequestURI(testPath); 480 request.setMethod("PATCH"); 481 webacFilter.doFilter(request, response, filterChain); 482 assertEquals(SC_FORBIDDEN, response.getStatus()); 483 } 484 485 @Test 486 public void testAuthUserReadAppendPatchSparqlInsert() throws ServletException, IOException { 487 setupAuthUserReadAppend(); 488 // PATCH (Sparql INSERT) => 200 (204) 489 final String updateString = 490 "INSERT { <> <http://purl.org/dc/elements/1.1/title> \"new title\" } WHERE { }"; 491 request.setContentType(contentTypeSPARQLUpdate); 492 request.setContent(updateString.getBytes()); 493 request.setRequestURI(testPath); 494 request.setMethod("PATCH"); 495 webacFilter.doFilter(request, response, filterChain); 496 assertEquals(SC_OK, response.getStatus()); 497 } 498 499 @Test 500 public void testAuthUserReadAppendPatchSparqlDelete() throws ServletException, IOException { 501 setupAuthUserReadAppend(); 502 // PATCH (Sparql DELETE) => 403 503 final String updateString = 504 "DELETE { <> <http://purl.org/dc/elements/1.1/title> \"new title\" } WHERE { }"; 505 request.setContentType(contentTypeSPARQLUpdate); 506 request.setContent(updateString.getBytes()); 507 request.setRequestURI(testPath); 508 request.setMethod("PATCH"); 509 webacFilter.doFilter(request, response, filterChain); 510 assertEquals(SC_FORBIDDEN, response.getStatus()); 511 } 512 513 @Test 514 public void testAuthUserAppendPostContainer() throws IOException, ServletException { 515 setupAuthUserAppendOnly(); 516 setupContainerResource(); 517 // POST => 200 518 request.setRequestURI(testPath); 519 request.setMethod("POST"); 520 webacFilter.doFilter(request, response, filterChain); 521 assertEquals(SC_OK, response.getStatus()); 522 } 523 524 @Test 525 public void testAuthUserAppendPostBinary() throws IOException, ServletException { 526 setupAuthUserAppendOnly(); 527 setupBinaryResource(); 528 // POST => 403 529 request.setRequestURI(testPath); 530 request.setMethod("POST"); 531 webacFilter.doFilter(request, response, filterChain); 532 assertEquals(SC_FORBIDDEN, response.getStatus()); 533 } 534 535 @Test 536 public void testAuthUserAppendDelete() throws IOException, ServletException { 537 setupAuthUserAppendOnly(); 538 // POST => 403 539 request.setRequestURI(testPath); 540 request.setMethod("DELETE"); 541 webacFilter.doFilter(request, response, filterChain); 542 assertEquals(SC_FORBIDDEN, response.getStatus()); 543 } 544 545 @Test 546 public void testAuthUserReadAppendPostContainer() throws IOException, ServletException { 547 setupAuthUserReadAppend(); 548 setupContainerResource(); 549 // POST => 200 550 request.setRequestURI(testPath); 551 request.setMethod("POST"); 552 webacFilter.doFilter(request, response, filterChain); 553 assertEquals(SC_OK, response.getStatus()); 554 } 555 556 @Test 557 public void testAuthUserReadAppendPostBinary() throws IOException, ServletException { 558 setupAuthUserReadAppend(); 559 setupBinaryResource(); 560 // POST => 403 561 request.setRequestURI(testPath); 562 request.setMethod("POST"); 563 webacFilter.doFilter(request, response, filterChain); 564 assertEquals(SC_FORBIDDEN, response.getStatus()); 565 } 566 567 @Test 568 public void testAuthUserReadAppendDelete() throws ServletException, IOException { 569 setupAuthUserReadAppend(); 570 // DELETE => 403 571 request.setRequestURI(testPath); 572 request.setMethod("DELETE"); 573 webacFilter.doFilter(request, response, filterChain); 574 assertEquals(SC_FORBIDDEN, response.getStatus()); 575 } 576 577 @Test 578 public void testAuthUserReadAppendWritePostContainer() throws IOException, ServletException { 579 setupAuthUserReadAppendWrite(); 580 setupContainerResource(); 581 // POST => 200 582 request.setRequestURI(testPath); 583 request.setMethod("POST"); 584 webacFilter.doFilter(request, response, filterChain); 585 assertEquals(SC_OK, response.getStatus()); 586 } 587 588 @Test 589 public void testAuthUserReadAppendWritePostBinary() throws IOException, ServletException { 590 setupAuthUserReadAppendWrite(); 591 setupBinaryResource(); 592 // POST => 200 593 request.setRequestURI(testPath); 594 request.setMethod("POST"); 595 webacFilter.doFilter(request, response, filterChain); 596 assertEquals(SC_OK, response.getStatus()); 597 } 598 599 @Test 600 public void testAuthUserReadWriteHead() throws ServletException, IOException { 601 setupAuthUserReadWrite(); 602 // HEAD => 200 603 request.setMethod("HEAD"); 604 webacFilter.doFilter(request, response, filterChain); 605 assertEquals(SC_OK, response.getStatus()); 606 } 607 608 @Test 609 public void testAuthUserReadWriteOptions() throws ServletException, IOException { 610 setupAuthUserReadWrite(); 611 // GET => 200 612 request.setMethod("OPTIONS"); 613 webacFilter.doFilter(request, response, filterChain); 614 assertEquals(SC_OK, response.getStatus()); 615 } 616 617 @Test 618 public void testAuthUserReadWriteGet() throws ServletException, IOException { 619 setupAuthUserReadWrite(); 620 // GET => 200 621 request.setMethod("GET"); 622 webacFilter.doFilter(request, response, filterChain); 623 assertEquals(SC_OK, response.getStatus()); 624 } 625 626 @Test 627 public void testAuthUserReadWritePost() throws ServletException, IOException { 628 setupAuthUserReadWrite(); 629 // POST => 200 630 request.setMethod("POST"); 631 webacFilter.doFilter(request, response, filterChain); 632 assertEquals(SC_OK, response.getStatus()); 633 } 634 635 @Test 636 public void testAuthUserReadWritePut() throws ServletException, IOException { 637 setupAuthUserReadWrite(); 638 // PUT => 200 639 request.setMethod("PUT"); 640 webacFilter.doFilter(request, response, filterChain); 641 assertEquals(SC_OK, response.getStatus()); 642 } 643 644 @Test 645 public void testAuthUserReadWritePatch() throws ServletException, IOException { 646 setupAuthUserReadWrite(); 647 // PATCH => 200 648 request.setMethod("PATCH"); 649 webacFilter.doFilter(request, response, filterChain); 650 assertEquals(SC_OK, response.getStatus()); 651 } 652 653 @Test 654 public void testAuthUserReadWriteDelete() throws ServletException, IOException { 655 setupAuthUserReadWrite(); 656 // DELETE => 200 657 request.setMethod("DELETE"); 658 webacFilter.doFilter(request, response, filterChain); 659 assertEquals(SC_OK, response.getStatus()); 660 } 661 662 @Test 663 public void testAuthUserReadAppendWriteDelete() throws ServletException, IOException { 664 setupAuthUserReadAppendWrite(); 665 // DELETE => 200 666 request.setRequestURI(testPath); 667 request.setMethod("DELETE"); 668 webacFilter.doFilter(request, response, filterChain); 669 assertEquals(SC_OK, response.getStatus()); 670 } 671 672 @Test 673 public void testAuthUserAppendPutNewChild() throws IOException, ServletException { 674 setupAuthUserAppendOnly(); 675 // PUT => 200 676 request.setRequestURI(testChildPath); 677 request.setPathInfo(testChildPath); 678 request.setMethod("PUT"); 679 webacFilter.doFilter(request, response, filterChain); 680 assertEquals(SC_OK, response.getStatus()); 681 } 682 683 @Test 684 public void testAclControlPutToAcl() throws ServletException, IOException { 685 setupAuthUserAclControl(); 686 request.setRequestURI(testAclPath); 687 request.setMethod("PUT"); 688 webacFilter.doFilter(request, response, filterChain); 689 assertEquals(SC_OK, response.getStatus()); 690 } 691 692 @Test 693 public void testNoAclControlPutToAcl() throws ServletException, IOException { 694 setupAuthUserNoAclControl(); 695 request.setRequestURI(testAclPath); 696 request.setMethod("PUT"); 697 webacFilter.doFilter(request, response, filterChain); 698 assertEquals(SC_FORBIDDEN, response.getStatus()); 699 } 700 701 @Test 702 public void testAclControlGetToAcl() throws ServletException, IOException { 703 setupAuthUserAclControl(); 704 request.setRequestURI(testAclPath); 705 request.setMethod("GET"); 706 webacFilter.doFilter(request, response, filterChain); 707 assertEquals(SC_OK, response.getStatus()); 708 } 709 710 @Test 711 public void testNoAclControlGetToAcl() throws ServletException, IOException { 712 setupAuthUserNoAclControl(); 713 request.setRequestURI(testAclPath); 714 request.setMethod("GET"); 715 webacFilter.doFilter(request, response, filterChain); 716 assertEquals(SC_FORBIDDEN, response.getStatus()); 717 } 718 719 @Test 720 public void testAclControlHeadToAcl() throws ServletException, IOException { 721 setupAuthUserAclControl(); 722 request.setRequestURI(testAclPath); 723 request.setMethod("HEAD"); 724 webacFilter.doFilter(request, response, filterChain); 725 assertEquals(SC_OK, response.getStatus()); 726 } 727 728 @Test 729 public void testNoAclControlHeadToAcl() throws ServletException, IOException { 730 setupAuthUserNoAclControl(); 731 request.setRequestURI(testAclPath); 732 request.setMethod("HEAD"); 733 webacFilter.doFilter(request, response, filterChain); 734 assertEquals(SC_FORBIDDEN, response.getStatus()); 735 } 736 737 @Test 738 public void testAclControlPatchToAcl() throws ServletException, IOException { 739 setupAuthUserAclControl(); 740 request.setRequestURI(testAclPath); 741 request.setMethod("PATCH"); 742 webacFilter.doFilter(request, response, filterChain); 743 assertEquals(SC_OK, response.getStatus()); 744 } 745 746 @Test 747 public void testNoAclControlPatchToAcl() throws ServletException, IOException { 748 setupAuthUserNoAclControl(); 749 request.setRequestURI(testAclPath); 750 request.setMethod("PATCH"); 751 webacFilter.doFilter(request, response, filterChain); 752 assertEquals(SC_FORBIDDEN, response.getStatus()); 753 } 754 755 @Test 756 public void testAclControlDelete() throws ServletException, IOException { 757 setupAuthUserAclControl(); 758 request.setRequestURI(testAclPath); 759 request.setMethod("DELETE"); 760 webacFilter.doFilter(request, response, filterChain); 761 assertEquals(SC_OK, response.getStatus()); 762 } 763 764 @Test 765 public void testNoAclControlDelete() throws ServletException, IOException { 766 setupAuthUserNoAclControl(); 767 request.setRequestURI(testAclPath); 768 request.setMethod("DELETE"); 769 webacFilter.doFilter(request, response, filterChain); 770 assertEquals(SC_FORBIDDEN, response.getStatus()); 771 } 772 773 774 775 @After 776 public void clearSubject() { 777 // unbind the subject to the thread 778 threadState.restore(); 779 } 780}