2021-03-22 06:13:27 +01:00
/ *
* This file is part of Player Analytics ( Plan ) .
*
* Plan is free software : you can redistribute it and / or modify
* it under the terms of the GNU Lesser General Public License v3 as published by
* the Free Software Foundation , either version 3 of the License , or
* ( at your option ) any later version .
*
* Plan is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU Lesser General Public License for more details .
*
* You should have received a copy of the GNU Lesser General Public License
* along with Plan . If not , see < https : //www.gnu.org/licenses/>.
* /
package com.djrapitops.plan.delivery.webserver ;
import com.djrapitops.plan.PlanSystem ;
import com.djrapitops.plan.delivery.domain.auth.User ;
2023-08-20 10:56:13 +02:00
import com.djrapitops.plan.delivery.domain.auth.WebPermission ;
2022-04-06 16:37:23 +02:00
import com.djrapitops.plan.extension.Caller ;
2021-03-22 06:13:27 +01:00
import com.djrapitops.plan.identification.Server ;
import com.djrapitops.plan.settings.config.PlanConfig ;
import com.djrapitops.plan.settings.config.changes.ConfigUpdater ;
import com.djrapitops.plan.settings.config.paths.WebserverSettings ;
2023-08-20 10:56:13 +02:00
import com.djrapitops.plan.storage.database.Database ;
2022-04-06 16:37:23 +02:00
import com.djrapitops.plan.storage.database.queries.ExtensionsDatabaseTest ;
2021-03-22 06:13:27 +01:00
import com.djrapitops.plan.storage.database.transactions.StoreServerInformationTransaction ;
2022-08-27 14:20:23 +02:00
import com.djrapitops.plan.storage.database.transactions.commands.StoreWebUserTransaction ;
2021-03-22 06:13:27 +01:00
import com.djrapitops.plan.storage.database.transactions.events.PlayerRegisterTransaction ;
2023-10-21 17:18:31 +02:00
import com.djrapitops.plan.storage.database.transactions.webuser.StoreWebGroupTransaction ;
2021-03-22 06:13:27 +01:00
import com.djrapitops.plan.utilities.PassEncryptUtil ;
2024-03-09 13:43:41 +01:00
import org.apache.commons.io.IOUtils ;
2023-08-20 10:56:13 +02:00
import org.apache.commons.lang3.StringUtils ;
2021-03-22 06:13:27 +01:00
import org.junit.jupiter.api.AfterAll ;
import org.junit.jupiter.api.BeforeAll ;
2022-02-28 18:31:17 +01:00
import org.junit.jupiter.api.DisplayName ;
2023-08-20 10:56:13 +02:00
import org.junit.jupiter.api.Test ;
2021-03-22 06:13:27 +01:00
import org.junit.jupiter.api.io.TempDir ;
import org.junit.jupiter.params.ParameterizedTest ;
2023-08-20 10:56:13 +02:00
import org.junit.jupiter.params.provider.Arguments ;
import org.junit.jupiter.params.provider.MethodSource ;
2021-03-22 06:13:27 +01:00
import utilities.HTTPConnector ;
import utilities.RandomData ;
import utilities.TestConstants ;
import utilities.TestResources ;
import utilities.mocks.PluginMockComponent ;
import java.io.File ;
import java.io.IOException ;
import java.io.InputStream ;
import java.net.HttpURLConnection ;
import java.nio.file.Files ;
import java.nio.file.Path ;
import java.nio.file.StandardCopyOption ;
import java.security.KeyManagementException ;
import java.security.NoSuchAlgorithmException ;
2023-08-20 10:56:13 +02:00
import java.util.Arrays ;
2021-03-22 06:13:27 +01:00
import java.util.Collections ;
2023-08-20 10:56:13 +02:00
import java.util.concurrent.ExecutionException ;
import java.util.stream.Collectors ;
import java.util.stream.Stream ;
2021-03-22 06:13:27 +01:00
2023-08-20 10:56:13 +02:00
import static org.junit.jupiter.api.Assertions.* ;
2021-03-22 06:13:27 +01:00
/ * *
* Tests for limiting user access control based on permissions .
* /
2022-02-10 16:57:26 +01:00
class AccessControlTest {
2021-03-22 06:13:27 +01:00
private static final int TEST_PORT_NUMBER = RandomData . randomInt ( 9005 , 9500 ) ;
2023-10-21 09:57:48 +02:00
private static final String QUERY_VIEW_SIMPLE = " %7B%22afterDate%22%3A%2201%2F01%2F1970%22%2C%22afterTime%22%3A%2200%3A00%22%2C%22beforeDate%22%3A%2201%2F01%2F2024%22%2C%22beforeTime%22%3A%2200%3A00%22%2C%22servers%22%3A%5B%5D%7D " ;
2021-03-22 06:13:27 +01:00
private static final HTTPConnector CONNECTOR = new HTTPConnector ( ) ;
private static PlanSystem system ;
private static String address ;
2023-08-20 10:56:13 +02:00
private static String cookieNoAccess ;
2023-10-21 09:57:48 +02:00
2023-08-20 10:56:13 +02:00
static Stream < Arguments > testCases ( ) {
return Stream . of (
Arguments . of ( " / " , WebPermission . ACCESS , 302 , 403 ) ,
2023-09-23 21:24:34 +02:00
Arguments . of ( " /pageExtensionApi.js " , WebPermission . ACCESS , 200 , 200 ) ,
2023-08-20 10:56:13 +02:00
Arguments . of ( " /server " , WebPermission . ACCESS_SERVER , 302 , 403 ) ,
Arguments . of ( " /server/ " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . ACCESS_SERVER , 200 , 403 ) ,
Arguments . of ( " /v1/serverOverview?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_OVERVIEW_NUMBERS , 200 , 403 ) ,
Arguments . of ( " /v1/onlineOverview?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_ONLINE_ACTIVITY_OVERVIEW , 200 , 403 ) ,
Arguments . of ( " /v1/sessionsOverview?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_SESSIONS , 200 , 403 ) ,
Arguments . of ( " /v1/playerVersus?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_PLAYER_VERSUS , 200 , 403 ) ,
Arguments . of ( " /v1/playerbaseOverview?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_PLAYERBASE_OVERVIEW , 200 , 403 ) ,
Arguments . of ( " /v1/performanceOverview?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_PERFORMANCE_OVERVIEW , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=optimizedPerformance&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_PERFORMANCE_GRAPHS , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=aggregatedPing&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_PERFORMANCE_GRAPHS , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=worldPie&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_SESSIONS_WORLD_PIE , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=activity&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_PLAYERBASE_GRAPHS , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=joinAddressPie&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_JOIN_ADDRESSES_GRAPHS_PIE , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=geolocation&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_GEOLOCATIONS_MAP , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=uniqueAndNew&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_ONLINE_ACTIVITY_GRAPHS_DAY_BY_DAY , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=hourlyUniqueAndNew&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_ONLINE_ACTIVITY_GRAPHS_HOUR_BY_HOUR , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=serverCalendar&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_ONLINE_ACTIVITY_GRAPHS_CALENDAR , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=punchCard&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_ONLINE_ACTIVITY_GRAPHS_PUNCHCARD , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=joinAddressByDay&server= " + TestConstants . SERVER_UUID_STRING + " &after=0&before= " + 123456L + " " , WebPermission . PAGE_SERVER_JOIN_ADDRESSES_GRAPHS_TIME , 200 , 403 ) ,
Arguments . of ( " /v1/players?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_PLAYERS , 200 , 403 ) ,
Arguments . of ( " /v1/kills?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_PLAYER_VERSUS_KILL_LIST , 200 , 403 ) ,
Arguments . of ( " /v1/pingTable?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_GEOLOCATIONS_PING_PER_COUNTRY , 200 , 403 ) ,
Arguments . of ( " /v1/sessions?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_SESSIONS_LIST , 200 , 403 ) ,
Arguments . of ( " /v1/retention?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_RETENTION , 200 , 403 ) ,
Arguments . of ( " /v1/joinAddresses?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_RETENTION , 200 , 403 ) ,
Arguments . of ( " /network " , WebPermission . ACCESS_NETWORK , 302 , 403 ) ,
Arguments . of ( " /v1/network/overview " , WebPermission . PAGE_NETWORK_OVERVIEW_NUMBERS , 200 , 403 ) ,
Arguments . of ( " /v1/network/servers " , WebPermission . PAGE_NETWORK_SERVER_LIST , 200 , 403 ) ,
Arguments . of ( " /v1/network/sessionsOverview " , WebPermission . PAGE_NETWORK_SESSIONS_OVERVIEW , 200 , 403 ) ,
Arguments . of ( " /v1/network/playerbaseOverview " , WebPermission . PAGE_NETWORK_PLAYERBASE_OVERVIEW , 200 , 403 ) ,
Arguments . of ( " /v1/sessions " , WebPermission . PAGE_NETWORK_SESSIONS_LIST , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=playersOnline&server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . PAGE_SERVER_OVERVIEW_PLAYERS_ONLINE_GRAPH , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=uniqueAndNew " , WebPermission . PAGE_NETWORK_OVERVIEW_GRAPHS_DAY_BY_DAY , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=hourlyUniqueAndNew " , WebPermission . PAGE_NETWORK_OVERVIEW_GRAPHS_HOUR_BY_HOUR , 200 , 403 ) ,
2023-09-30 16:10:18 +02:00
Arguments . of ( " /v1/graph?type=serverCalendar " , WebPermission . PAGE_NETWORK_OVERVIEW_GRAPHS_CALENDAR , 200 , 403 ) ,
2023-08-20 10:56:13 +02:00
Arguments . of ( " /v1/graph?type=serverPie " , WebPermission . PAGE_NETWORK_SESSIONS_SERVER_PIE , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=joinAddressPie " , WebPermission . PAGE_NETWORK_JOIN_ADDRESSES_GRAPHS_PIE , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=activity " , WebPermission . PAGE_NETWORK_PLAYERBASE_GRAPHS , 200 , 403 ) ,
Arguments . of ( " /v1/graph?type=geolocation " , WebPermission . PAGE_NETWORK_GEOLOCATIONS_MAP , 200 , 403 ) ,
Arguments . of ( " /v1/network/pingTable " , WebPermission . PAGE_NETWORK_GEOLOCATIONS_PING_PER_COUNTRY , 200 , 403 ) ,
Arguments . of ( " /player/ " + TestConstants . PLAYER_ONE_NAME + " " , WebPermission . ACCESS_PLAYER , 200 , 403 ) ,
Arguments . of ( " /player/ " + TestConstants . PLAYER_TWO_NAME + " " , WebPermission . ACCESS_PLAYER , 404 , 403 ) ,
Arguments . of ( " /player/ " + TestConstants . PLAYER_ONE_UUID_STRING + " " , WebPermission . ACCESS_PLAYER , 200 , 403 ) ,
Arguments . of ( " /player/ " + TestConstants . PLAYER_TWO_UUID_STRING + " " , WebPermission . ACCESS_PLAYER , 404 , 403 ) ,
Arguments . of ( " /v1/player?player= " + TestConstants . PLAYER_ONE_NAME + " " , WebPermission . ACCESS_PLAYER , 200 , 403 ) ,
Arguments . of ( " /v1/player?player= " + TestConstants . PLAYER_TWO_NAME + " " , WebPermission . ACCESS_PLAYER , 400 , 403 ) ,
Arguments . of ( " /players " , WebPermission . ACCESS_PLAYERS , 200 , 403 ) ,
Arguments . of ( " /v1/players " , WebPermission . ACCESS_PLAYERS , 200 , 403 ) ,
Arguments . of ( " /query " , WebPermission . ACCESS_QUERY , 200 , 403 ) ,
Arguments . of ( " /v1/filters " , WebPermission . ACCESS_QUERY , 200 , 403 ) ,
Arguments . of ( " /v1/query " , WebPermission . ACCESS_QUERY , 400 , 403 ) ,
Arguments . of ( " /v1/query?q=%5B%5D&view=%7B%22afterDate%22%3A%2224%2F10%2F2022%22%2C%22afterTime%22%3A%2218%3A21%22%2C%22beforeDate%22%3A%2223%2F11%2F2022%22%2C%22beforeTime%22%3A%2217%3A21%22%2C%22servers%22%3A%5B%0A%7B%22serverUUID%22%3A%22 " + TestConstants . SERVER_UUID_STRING + " %22%2C%22serverName%22%3A%22 " + TestConstants . SERVER_NAME + " %22%2C%22proxy%22%3Afalse%7D%5D%7D " , WebPermission . ACCESS_QUERY , 200 , 403 ) ,
2023-10-21 09:57:48 +02:00
Arguments . of ( " /v1/query?q=%5B%7B%22kind%22%3A%22playedBetween%22%2C%22parameters%22%3A%7B%22afterDate%22%3A%2201%2F01%2F1970%22%2C%22afterTime%22%3A%2200%3A00%22%2C%22beforeDate%22%3A%2201%2F01%2F2024%22%2C%22beforeTime%22%3A%2200%3A00%22%7D%7D%5D&view= " + QUERY_VIEW_SIMPLE , WebPermission . PAGE_NETWORK_OVERVIEW_GRAPHS_CALENDAR , 200 , 403 ) ,
Arguments . of ( " /v1/query?q=%5B%7B%22kind%22%3A%22playedBetween%22%2C%22parameters%22%3A%7B%22afterDate%22%3A%2201%2F01%2F1970%22%2C%22afterTime%22%3A%2200%3A00%22%2C%22beforeDate%22%3A%2201%2F01%2F2024%22%2C%22beforeTime%22%3A%2200%3A00%22%7D%7D%5D&view= " + QUERY_VIEW_SIMPLE , WebPermission . PAGE_SERVER_ONLINE_ACTIVITY_GRAPHS_CALENDAR , 200 , 403 ) ,
Arguments . of ( " /v1/query?q=%5B%7B%22kind%22%3A%22geolocations%22%2C%22parameters%22%3A%7B%22selected%22%3A%22%5B%5C%22FIN%5C%22%5D%22%7D%7D%5D&view= " + QUERY_VIEW_SIMPLE , WebPermission . PAGE_NETWORK_GEOLOCATIONS_MAP , 200 , 403 ) ,
Arguments . of ( " /v1/query?q=%5B%7B%22kind%22%3A%22geolocations%22%2C%22parameters%22%3A%7B%22selected%22%3A%22%5B%5C%22FIN%5C%22%5D%22%7D%7D%5D&view= " + QUERY_VIEW_SIMPLE , WebPermission . PAGE_SERVER_GEOLOCATIONS_MAP , 200 , 403 ) ,
2023-08-20 10:56:13 +02:00
Arguments . of ( " /v1/errors " , WebPermission . ACCESS_ERRORS , 200 , 403 ) ,
Arguments . of ( " /errors " , WebPermission . ACCESS_ERRORS , 200 , 403 ) ,
Arguments . of ( " /v1/network/listServers " , WebPermission . PAGE_NETWORK_PERFORMANCE , 200 , 403 ) ,
Arguments . of ( " /v1/network/serverOptions " , WebPermission . PAGE_NETWORK_PERFORMANCE , 200 , 403 ) ,
Arguments . of ( " /v1/network/performanceOverview?servers=[ " + TestConstants . SERVER_UUID_STRING + " ] " , WebPermission . PAGE_NETWORK_PERFORMANCE , 200 , 403 ) ,
Arguments . of ( " /v1/version " , WebPermission . ACCESS , 200 , 200 ) ,
Arguments . of ( " /v1/whoami " , WebPermission . ACCESS , 200 , 200 ) ,
Arguments . of ( " /v1/metadata " , WebPermission . ACCESS , 200 , 200 ) ,
Arguments . of ( " /v1/networkMetadata " , WebPermission . ACCESS , 200 , 200 ) ,
Arguments . of ( " /v1/serverIdentity?server= " + TestConstants . SERVER_UUID_STRING + " " , WebPermission . ACCESS_SERVER , 200 , 403 ) ,
Arguments . of ( " /v1/locale " , WebPermission . ACCESS , 200 , 200 ) ,
Arguments . of ( " /v1/locale/EN " , WebPermission . ACCESS , 200 , 200 ) ,
Arguments . of ( " /v1/locale/NonexistingLanguage " , WebPermission . ACCESS , 404 , 404 ) ,
Arguments . of ( " /docs/swagger.json " , WebPermission . ACCESS_DOCS , 500 , 403 ) , // swagger.json not available during tests
Arguments . of ( " /docs " , WebPermission . ACCESS_DOCS , 200 , 403 ) ,
Arguments . of ( " /pageExtensionApi.js " , WebPermission . ACCESS , 200 , 200 ) ,
Arguments . of ( " /manage " , WebPermission . MANAGE_GROUPS , 200 , 403 ) ,
Arguments . of ( " /v1/groupPermissions?group=admin " , WebPermission . MANAGE_GROUPS , 200 , 403 ) ,
Arguments . of ( " /v1/webGroups " , WebPermission . MANAGE_GROUPS , 200 , 403 ) ,
Arguments . of ( " /v1/deleteGroup?group=admin&moveTo=no_access " , WebPermission . MANAGE_GROUPS , 400 , 403 ) ,
2023-09-23 21:24:34 +02:00
Arguments . of ( " /v1/saveGroupPermissions?group=admin " , WebPermission . MANAGE_GROUPS , 400 , 403 ) ,
Arguments . of ( " /v1/preferences " , WebPermission . ACCESS , 200 , 200 ) ,
2023-10-07 07:39:00 +02:00
Arguments . of ( " /v1/storePreferences " , WebPermission . ACCESS , 400 , 400 ) ,
Arguments . of ( " /v1/pluginHistory?server= " + TestConstants . SERVER_UUID_STRING , WebPermission . PAGE_NETWORK_PLUGIN_HISTORY , 200 , 403 ) ,
Arguments . of ( " /v1/pluginHistory?server= " + TestConstants . SERVER_UUID_STRING , WebPermission . PAGE_SERVER_PLUGIN_HISTORY , 200 , 403 )
2023-08-20 10:56:13 +02:00
) ;
}
2021-03-22 06:13:27 +01:00
@BeforeAll
static void setUpClass ( @TempDir Path tempDir ) throws Exception {
File file = tempDir . resolve ( " TestCert.p12 " ) . toFile ( ) ;
File testCert = TestResources . getTestResourceFile ( " TestCert.p12 " , ConfigUpdater . class ) ;
Files . copy ( testCert . toPath ( ) , file . toPath ( ) , StandardCopyOption . REPLACE_EXISTING ) ;
String absolutePath = file . getAbsolutePath ( ) ;
PluginMockComponent component = new PluginMockComponent ( tempDir ) ;
system = component . getPlanSystem ( ) ;
PlanConfig config = system . getConfigSystem ( ) . getConfig ( ) ;
config . set ( WebserverSettings . CERTIFICATE_PATH , absolutePath ) ;
config . set ( WebserverSettings . CERTIFICATE_KEYPASS , " test " ) ;
config . set ( WebserverSettings . CERTIFICATE_STOREPASS , " test " ) ;
config . set ( WebserverSettings . CERTIFICATE_ALIAS , " test " ) ;
config . set ( WebserverSettings . PORT , TEST_PORT_NUMBER ) ;
system . enable ( ) ;
2023-08-20 10:56:13 +02:00
User userNoAccess = new User ( " test0 " , " console " , null , PassEncryptUtil . createHash ( " testPass " ) , " no_access " , Collections . emptyList ( ) ) ;
Database database = system . getDatabaseSystem ( ) . getDatabase ( ) ;
database . executeTransaction ( new StoreWebUserTransaction ( userNoAccess ) ) ;
database . executeTransaction ( new PlayerRegisterTransaction ( TestConstants . PLAYER_ONE_UUID , ( ) - > 0L , TestConstants . PLAYER_ONE_NAME ) ) ;
database . executeTransaction ( new StoreServerInformationTransaction ( new Server (
2021-03-22 06:13:27 +01:00
TestConstants . SERVER_UUID ,
TestConstants . SERVER_NAME ,
2022-04-07 17:24:40 +02:00
address ,
TestConstants . VERSION ) ) ) ;
2021-03-22 06:13:27 +01:00
2024-03-09 13:43:41 +01:00
Caller caller = system . getApiServices ( ) . getExtensionService ( ) . register ( new ExtensionsDatabaseTest . PlayerExtension ( ) )
2022-04-06 16:37:23 +02:00
. orElseThrow ( AssertionError : : new ) ;
caller . updatePlayerData ( TestConstants . PLAYER_ONE_UUID , TestConstants . PLAYER_ONE_NAME ) ;
2022-06-19 17:38:40 +02:00
assertTrue ( system . getWebServerSystem ( ) . getWebServer ( ) . isUsingHTTPS ( ) ) ;
assertTrue ( system . getWebServerSystem ( ) . getWebServer ( ) . isAuthRequired ( ) ) ;
2021-03-22 06:13:27 +01:00
address = " https://localhost: " + TEST_PORT_NUMBER ;
2023-08-20 10:56:13 +02:00
cookieNoAccess = login ( address , userNoAccess . getUsername ( ) ) ;
2021-03-22 06:13:27 +01:00
}
@AfterAll
static void tearDownClass ( ) {
if ( system ! = null ) {
system . disable ( ) ;
}
}
2023-08-20 10:56:13 +02:00
public static String login ( String address , String username ) throws IOException , KeyManagementException , NoSuchAlgorithmException {
2021-03-22 06:13:27 +01:00
HttpURLConnection loginConnection = null ;
2022-02-10 16:57:26 +01:00
String cookie ;
2021-03-22 06:13:27 +01:00
try {
2021-07-09 19:31:04 +02:00
loginConnection = CONNECTOR . getConnection ( " POST " , address + " /auth/login " ) ;
loginConnection . setDoOutput ( true ) ;
loginConnection . getOutputStream ( ) . write ( ( " user= " + username + " &password=testPass " ) . getBytes ( ) ) ;
2021-03-22 06:13:27 +01:00
try ( InputStream in = loginConnection . getInputStream ( ) ) {
String responseBody = new String ( IOUtils . toByteArray ( in ) ) ;
assertTrue ( responseBody . contains ( " \" success \" :true " ) , ( ) - > " Not successful: " + responseBody ) ;
cookie = loginConnection . getHeaderField ( " Set-Cookie " ) . split ( " ; " ) [ 0 ] ;
System . out . println ( " Got cookie: " + cookie ) ;
}
} finally {
2022-02-28 18:31:17 +01:00
if ( loginConnection ! = null ) loginConnection . disconnect ( ) ;
2021-03-22 06:13:27 +01:00
}
return cookie ;
}
2023-08-20 10:56:13 +02:00
@DisplayName ( " Access control test " )
@ParameterizedTest ( name = " {0}: Permission {1}, expecting {2} with & {3} without permission " )
@MethodSource ( " testCases " )
void accessControlTest ( String resource , WebPermission permission , int expectedWithPermission , int expectedWithout ) throws Exception {
String cookie = login ( address , createUserWithPermissions ( resource , permission ) . getUsername ( ) ) ;
int responseCodeWithPermission = access ( resource , cookie ) ;
int responseCodeWithout = access ( resource , cookieNoAccess ) ;
2021-03-22 06:13:27 +01:00
2023-08-20 10:56:13 +02:00
assertAll (
( ) - > assertEquals ( expectedWithPermission , responseCodeWithPermission ,
( ) - > " Permission ' " + permission . getPermission ( ) + " ', Wrong response code for " + resource + " , expected " + expectedWithPermission + " but was " + responseCodeWithPermission ) ,
( ) - > assertEquals ( expectedWithout , responseCodeWithout ,
( ) - > " No Permissions, Wrong response code for " + resource + " , expected " + expectedWithout + " but was " + responseCodeWithout )
) ;
2021-03-22 06:13:27 +01:00
}
2023-08-20 10:56:13 +02:00
@DisplayName ( " Access test player/uuid/raw " )
@Test
void playerRawAccess ( ) throws Exception {
String resource = " /player/ " + TestConstants . PLAYER_ONE_UUID + " /raw " ;
int expectedWithPermission = 200 ;
int expectedWithout = 403 ;
String cookie = login ( address , createUserWithPermissions ( resource , WebPermission . ACCESS_PLAYER , WebPermission . ACCESS_RAW_PLAYER_DATA ) . getUsername ( ) ) ;
String cookieJustPage = login ( address , createUserWithPermissions ( resource , WebPermission . ACCESS_PLAYER ) . getUsername ( ) ) ;
int responseCodeWithPermission = access ( resource , cookie ) ;
int responseCodeJustPage = access ( resource , cookieJustPage ) ;
int responseCodeWithout = access ( resource , cookieNoAccess ) ;
assertAll (
( ) - > assertEquals ( expectedWithPermission , responseCodeWithPermission ,
( ) - > " Permission 'access.player', 'access.raw.player.data', Wrong response code for " + resource + " , expected " + expectedWithPermission + " but was " + responseCodeWithPermission ) ,
( ) - > assertEquals ( expectedWithout , responseCodeJustPage ,
( ) - > " Just page visibility permissions, Wrong response code for " + resource + " , expected " + expectedWithout + " but was " + responseCodeJustPage ) ,
( ) - > assertEquals ( expectedWithout , responseCodeWithout ,
( ) - > " No Permissions, Wrong response code for " + resource + " , expected " + expectedWithout + " but was " + responseCodeWithout )
) ;
2021-03-22 06:13:27 +01:00
}
2023-08-20 10:56:13 +02:00
private User createUserWithPermissions ( String resource , WebPermission . . . permissions ) throws ExecutionException , InterruptedException {
Database db = system . getDatabaseSystem ( ) . getDatabase ( ) ;
String groupName = StringUtils . truncate ( resource , 75 ) ;
db . executeTransaction (
new StoreWebGroupTransaction ( groupName , Arrays . stream ( permissions ) . map ( WebPermission : : getPermission ) . collect ( Collectors . toList ( ) ) )
) . get ( ) ;
User user = new User ( RandomData . randomString ( 45 ) , " console " , null , PassEncryptUtil . createHash ( " testPass " ) , groupName , Collections . emptyList ( ) ) ;
db . executeTransaction ( new StoreWebUserTransaction ( user ) ) . get ( ) ;
return user ;
2021-03-22 06:13:27 +01:00
}
private int access ( String resource , String cookie ) throws IOException , KeyManagementException , NoSuchAlgorithmException {
HttpURLConnection connection = null ;
try {
connection = CONNECTOR . getConnection ( " GET " , address + resource ) ;
connection . setRequestProperty ( " Cookie " , cookie ) ;
return connection . getResponseCode ( ) ;
} finally {
2022-02-28 18:31:17 +01:00
if ( connection ! = null ) connection . disconnect ( ) ;
2021-03-22 06:13:27 +01:00
}
}
}