mirror of
https://github.com/google/nomulus
synced 2026-02-13 00:02:04 +00:00
Remove OAuthAuthenticationMechanism (#2171)
Also made some refactoring to various Auth related classes to clean up things a bit and make the logic less convoluted: 1. In Auth, remove AUTH_API_PUBLIC as it is only used by the WHOIS and EPP endpoints accessed by the proxy. Previously, the proxy relies on OAuth and its service account is not given admin role (in OAuth parlance), so we made them accessible by a public user, deferring authorization to the actions themselves. In practice, OAuth checks for allowlisted client IDs and only the proxy client ID was allowlisted, which effectively limited access to only the proxy anyway. 2. In AuthResult, expose the service account email if it is at APP level. RequestAuthenticator will print out the auth result and therefore log the email, making it easy to identify which account was used. This field is mutually exclusive to the user auth info field. As a result, the factory methods are refactored to explicitly create either APP or USER level auth result. 3. Completely re-wrote RequestAuthenticatorTest. Previously, the test mingled testing functionalities of the target class with testing how various authentication mechanisms work. Now they are cleanly decoupled, and each method in RequestAuthenticator is tested individually. 4. Removed nomulus-config-production-sample.yaml as it is vastly out of date.
This commit is contained in:
Lai Jiang
GitHub
@@ -28,7 +28,6 @@ import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.request.Actions;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.FakeClock;
|
||||
import google.registry.testing.FakeResponse;
|
||||
@@ -48,13 +47,11 @@ abstract class RdapActionBaseTestCase<A extends RdapActionBase> {
|
||||
new JpaTestExtensions.Builder().buildIntegrationTestExtension();
|
||||
|
||||
protected static final AuthResult AUTH_RESULT =
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(new User("rdap.user@user.com", "gmail.com", "12345"), false));
|
||||
|
||||
protected static final AuthResult AUTH_RESULT_ADMIN =
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(new User("rdap.admin@google.com", "gmail.com", "12345"), true));
|
||||
|
||||
protected FakeResponse response = new FakeResponse();
|
||||
|
||||
@@ -20,6 +20,7 @@ import static google.registry.request.Action.Method.GET;
|
||||
import static google.registry.request.Action.Method.POST;
|
||||
import static google.registry.request.auth.Auth.AUTH_API_ADMIN;
|
||||
import static google.registry.request.auth.Auth.AUTH_PUBLIC;
|
||||
import static google.registry.request.auth.AuthResult.NOT_AUTHENTICATED;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.eq;
|
||||
import static org.mockito.Mockito.mock;
|
||||
@@ -228,7 +229,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
when(req.getRequestURI()).thenReturn("/bumblebee");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -242,7 +243,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getRequestURI()).thenReturn("/bumblebee");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -255,7 +256,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
when(req.getRequestURI()).thenReturn("/bumblebee/hive");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -268,7 +269,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getRequestURI()).thenReturn("/sloth");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -284,7 +285,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getRequestURI()).thenReturn("/sloth/nest");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -296,7 +297,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
when(req.getRequestURI()).thenReturn("/fail");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -311,7 +312,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
when(req.getRequestURI()).thenReturn("/failAtConstruction");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -324,7 +325,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
when(req.getRequestURI()).thenReturn("/bogus");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -336,7 +337,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getRequestURI()).thenReturn("/fail");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -348,7 +349,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("FIREAWAY");
|
||||
when(req.getRequestURI()).thenReturn("/fail");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -364,7 +365,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("get");
|
||||
when(req.getRequestURI()).thenReturn("/bumblebee");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -386,7 +387,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
when(req.getRequestURI()).thenReturn("/safe-sloth");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -399,7 +400,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
when(req.getRequestURI()).thenReturn("/safe-sloth");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -412,7 +413,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
when(req.getRequestURI()).thenReturn("/auth/none");
|
||||
when(requestAuthenticator.authorize(AUTH_PUBLIC.authSettings(), req))
|
||||
.thenReturn(Optional.of(AuthResult.create(AuthLevel.NONE)));
|
||||
.thenReturn(Optional.of(NOT_AUTHENTICATED));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -440,8 +441,7 @@ public final class RequestHandlerTest {
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
when(req.getRequestURI()).thenReturn("/auth/adminUser");
|
||||
when(requestAuthenticator.authorize(AUTH_API_ADMIN.authSettings(), req))
|
||||
.thenReturn(
|
||||
Optional.of(AuthResult.create(AuthLevel.USER, UserAuthInfo.create(testUser, true))));
|
||||
.thenReturn(Optional.of(AuthResult.createUser(UserAuthInfo.create(testUser, true))));
|
||||
|
||||
handler.handleRequest(req, rsp);
|
||||
|
||||
@@ -449,7 +449,6 @@ public final class RequestHandlerTest {
|
||||
assertThat(providedAuthResult.authLevel()).isEqualTo(AuthLevel.USER);
|
||||
assertThat(providedAuthResult.userAuthInfo()).isPresent();
|
||||
assertThat(providedAuthResult.userAuthInfo().get().appEngineUser()).hasValue(testUser);
|
||||
assertThat(providedAuthResult.userAuthInfo().get().oauthTokenInfo()).isEmpty();
|
||||
assertMetric("/auth/adminUser", GET, AuthLevel.USER, true);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -15,6 +15,7 @@
|
||||
package google.registry.request.auth;
|
||||
|
||||
import static com.google.common.truth.Truth.assertThat;
|
||||
import static google.registry.request.auth.AuthResult.NOT_AUTHENTICATED;
|
||||
import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.ADMIN;
|
||||
import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.OWNER;
|
||||
import static google.registry.testing.DatabaseHelper.loadRegistrar;
|
||||
@@ -40,7 +41,6 @@ import google.registry.model.registrar.Registrar;
|
||||
import google.registry.model.registrar.Registrar.State;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
|
||||
import google.registry.util.JdkLoggerConfig;
|
||||
import java.util.Optional;
|
||||
@@ -75,7 +75,7 @@ class AuthenticatedRegistrarAccessorTest {
|
||||
|
||||
private static final AuthResult USER = createAuthResult(false);
|
||||
private static final AuthResult GAE_ADMIN = createAuthResult(true);
|
||||
private static final AuthResult NO_USER = AuthResult.create(AuthLevel.NONE);
|
||||
private static final AuthResult NO_USER = NOT_AUTHENTICATED;
|
||||
private static final Optional<String> SUPPORT_GROUP = Optional.of("support@registry.example");
|
||||
/** Registrar ID of a REAL registrar with a RegistrarContact for USER and GAE_ADMIN. */
|
||||
private static final String REGISTRAR_ID_WITH_CONTACT = "TheRegistrar";
|
||||
@@ -94,8 +94,7 @@ class AuthenticatedRegistrarAccessorTest {
|
||||
* @param isAdmin if true, the user is an administrator for the app-engine project.
|
||||
*/
|
||||
private static AuthResult createAuthResult(boolean isAdmin) {
|
||||
return AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
return AuthResult.createUser(
|
||||
UserAuthInfo.create(new User("johndoe@theregistrar.com", "theregistrar.com"), isAdmin));
|
||||
}
|
||||
|
||||
@@ -295,8 +294,7 @@ class AuthenticatedRegistrarAccessorTest {
|
||||
void testGetRegistrarForUser_inContacts_isNotAdmin_caseInsensitive() throws Exception {
|
||||
expectGetRegistrarSuccess(
|
||||
REGISTRAR_ID_WITH_CONTACT,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(new User("JohnDoe@theregistrar.com", "theregistrar.com"), false)),
|
||||
"user JohnDoe@theregistrar.com has [OWNER] access to registrar TheRegistrar");
|
||||
verify(lazyGroupsConnection).get();
|
||||
@@ -421,7 +419,7 @@ class AuthenticatedRegistrarAccessorTest {
|
||||
.setUserRoles(
|
||||
new UserRoles.Builder().setIsAdmin(true).setGlobalRole(GlobalRole.FTE).build())
|
||||
.build();
|
||||
AuthResult authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(consoleUser));
|
||||
AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
|
||||
AuthenticatedRegistrarAccessor registrarAccessor =
|
||||
new AuthenticatedRegistrarAccessor(
|
||||
authResult, ADMIN_REGISTRAR_ID, SUPPORT_GROUP, lazyGroupsConnection);
|
||||
@@ -446,7 +444,7 @@ class AuthenticatedRegistrarAccessorTest {
|
||||
.setEmailAddress("email@email.com")
|
||||
.setUserRoles(new UserRoles.Builder().setGlobalRole(GlobalRole.SUPPORT_AGENT).build())
|
||||
.build();
|
||||
AuthResult authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(consoleUser));
|
||||
AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
|
||||
AuthenticatedRegistrarAccessor registrarAccessor =
|
||||
new AuthenticatedRegistrarAccessor(
|
||||
authResult, ADMIN_REGISTRAR_ID, SUPPORT_GROUP, lazyGroupsConnection);
|
||||
@@ -471,7 +469,7 @@ class AuthenticatedRegistrarAccessorTest {
|
||||
RegistrarRole.ACCOUNT_MANAGER))
|
||||
.build())
|
||||
.build();
|
||||
AuthResult authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(consoleUser));
|
||||
AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
|
||||
AuthenticatedRegistrarAccessor registrarAccessor =
|
||||
new AuthenticatedRegistrarAccessor(
|
||||
authResult, ADMIN_REGISTRAR_ID, SUPPORT_GROUP, lazyGroupsConnection);
|
||||
|
||||
@@ -18,7 +18,6 @@ import static com.google.common.net.HttpHeaders.AUTHORIZATION;
|
||||
import static com.google.common.truth.Truth.assertThat;
|
||||
import static google.registry.request.auth.AuthModule.BEARER_PREFIX;
|
||||
import static google.registry.request.auth.AuthModule.IAP_HEADER_NAME;
|
||||
import static google.registry.request.auth.AuthModule.PROXY_HEADER_NAME;
|
||||
import static google.registry.testing.DatabaseHelper.insertInDb;
|
||||
import static org.mockito.ArgumentMatchers.eq;
|
||||
import static org.mockito.Mockito.mock;
|
||||
@@ -92,9 +91,8 @@ public class OidcTokenAuthenticationMechanismTest {
|
||||
|
||||
@Test
|
||||
void testAuthResultBypass() {
|
||||
OidcTokenAuthenticationMechanism.setAuthResultForTesting(AuthResult.create(AuthLevel.APP));
|
||||
assertThat(authenticationMechanism.authenticate(null))
|
||||
.isEqualTo(AuthResult.create(AuthLevel.APP));
|
||||
OidcTokenAuthenticationMechanism.setAuthResultForTesting(AuthResult.NOT_AUTHENTICATED);
|
||||
assertThat(authenticationMechanism.authenticate(null)).isEqualTo(AuthResult.NOT_AUTHENTICATED);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -169,16 +167,10 @@ public class OidcTokenAuthenticationMechanismTest {
|
||||
void testRegular_tokenExtractor() throws Exception {
|
||||
useRegularOidcMechanism();
|
||||
// The token does not have the "Bearer " prefix.
|
||||
when(request.getHeader(PROXY_HEADER_NAME)).thenReturn(rawToken);
|
||||
when(request.getHeader(AUTHORIZATION)).thenReturn(rawToken);
|
||||
assertThat(authenticationMechanism.tokenExtractor.extract(request)).isNull();
|
||||
|
||||
// The token is in the correct format.
|
||||
when(request.getHeader(PROXY_HEADER_NAME))
|
||||
.thenReturn(String.format("%s%s", BEARER_PREFIX, rawToken));
|
||||
assertThat(authenticationMechanism.tokenExtractor.extract(request)).isEqualTo(rawToken);
|
||||
|
||||
// The token is in the correct format, and under the alternative header.
|
||||
when(request.getHeader(PROXY_HEADER_NAME)).thenReturn(null);
|
||||
when(request.getHeader(AUTHORIZATION))
|
||||
.thenReturn(String.format("%s%s", BEARER_PREFIX, rawToken));
|
||||
assertThat(authenticationMechanism.tokenExtractor.extract(request)).isEqualTo(rawToken);
|
||||
|
||||
@@ -14,361 +14,276 @@
|
||||
|
||||
package google.registry.request.auth;
|
||||
|
||||
import static com.google.common.net.HttpHeaders.AUTHORIZATION;
|
||||
import static com.google.common.truth.Truth.assertThat;
|
||||
import static com.google.common.truth.Truth8.assertThat;
|
||||
import static google.registry.request.auth.AuthResult.NOT_AUTHENTICATED;
|
||||
import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
|
||||
import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;
|
||||
import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
|
||||
import static google.registry.request.auth.AuthSettings.AuthMethod.API;
|
||||
import static google.registry.request.auth.AuthSettings.AuthMethod.LEGACY;
|
||||
import static google.registry.request.auth.AuthSettings.UserPolicy.ADMIN;
|
||||
import static google.registry.request.auth.AuthSettings.UserPolicy.PUBLIC;
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import com.google.appengine.api.users.User;
|
||||
import com.google.appengine.api.users.UserService;
|
||||
import com.google.common.collect.ImmutableList;
|
||||
import com.google.common.collect.ImmutableSet;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.model.console.GlobalRole;
|
||||
import google.registry.model.console.User;
|
||||
import google.registry.model.console.UserRoles;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthSettings.AuthMethod;
|
||||
import google.registry.request.auth.AuthSettings.UserPolicy;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
import google.registry.testing.FakeClock;
|
||||
import google.registry.testing.FakeOAuthService;
|
||||
import google.registry.testing.FakeUserService;
|
||||
import java.util.Optional;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.RegisterExtension;
|
||||
|
||||
/** Unit tests for {@link RequestAuthenticator}. */
|
||||
class RequestAuthenticatorTest {
|
||||
|
||||
@RegisterExtension
|
||||
final JpaIntegrationTestExtension jpa =
|
||||
new JpaTestExtensions.Builder().buildIntegrationTestExtension();
|
||||
private static final AuthResult APP_AUTH = AuthResult.createApp("app@registry.example");
|
||||
|
||||
private static final AuthSettings AUTH_NONE =
|
||||
AuthSettings.create(ImmutableList.of(AuthMethod.API), AuthLevel.NONE, UserPolicy.PUBLIC);
|
||||
private static final AuthResult USER_PUBLIC_AUTH =
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
new User.Builder()
|
||||
.setEmailAddress("user@registry.example")
|
||||
.setUserRoles(
|
||||
new UserRoles.Builder()
|
||||
.setIsAdmin(false)
|
||||
.setGlobalRole(GlobalRole.NONE)
|
||||
.build())
|
||||
.build()));
|
||||
|
||||
private static final AuthSettings AUTH_ANY_USER_ANY_METHOD =
|
||||
AuthSettings.create(
|
||||
ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.PUBLIC);
|
||||
private static final AuthResult USER_ADMIN_AUTH =
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
new User.Builder()
|
||||
.setEmailAddress("admin@registry.example")
|
||||
.setUserRoles(
|
||||
new UserRoles.Builder()
|
||||
.setIsAdmin(true)
|
||||
.setGlobalRole(GlobalRole.FTE)
|
||||
.build())
|
||||
.build()));
|
||||
|
||||
private static final AuthSettings AUTH_ANY_USER_NO_LEGACY =
|
||||
AuthSettings.create(ImmutableList.of(AuthMethod.API), AuthLevel.USER, UserPolicy.PUBLIC);
|
||||
|
||||
private static final AuthSettings AUTH_ADMIN_USER_ANY_METHOD =
|
||||
AuthSettings.create(
|
||||
ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.ADMIN);
|
||||
|
||||
private static final AuthSettings AUTH_NO_METHODS =
|
||||
AuthSettings.create(ImmutableList.of(), AuthLevel.APP, UserPolicy.PUBLIC);
|
||||
|
||||
private static final AuthSettings AUTH_WRONG_METHOD_ORDERING =
|
||||
AuthSettings.create(
|
||||
ImmutableList.of(AuthMethod.LEGACY, AuthMethod.API), AuthLevel.APP, UserPolicy.PUBLIC);
|
||||
|
||||
private static final AuthSettings AUTH_DUPLICATE_METHODS =
|
||||
AuthSettings.create(
|
||||
ImmutableList.of(AuthMethod.API, AuthMethod.API), AuthLevel.APP, UserPolicy.PUBLIC);
|
||||
|
||||
private static final AuthSettings AUTH_NONE_REQUIRES_ADMIN =
|
||||
AuthSettings.create(ImmutableList.of(AuthMethod.API), AuthLevel.NONE, UserPolicy.ADMIN);
|
||||
|
||||
private final UserService mockUserService = mock(UserService.class);
|
||||
private final HttpServletRequest req = mock(HttpServletRequest.class);
|
||||
|
||||
private final User testUser = new User("test@google.com", "test@google.com");
|
||||
private final FakeUserService fakeUserService = new FakeUserService();
|
||||
private final XsrfTokenManager xsrfTokenManager =
|
||||
new XsrfTokenManager(new FakeClock(), fakeUserService);
|
||||
private final FakeOAuthService fakeOAuthService =
|
||||
new FakeOAuthService(
|
||||
false /* isOAuthEnabled */,
|
||||
testUser,
|
||||
false /* isUserAdmin */,
|
||||
"test-client-id",
|
||||
ImmutableList.of("test-scope1", "test-scope2", "nontest-scope"));
|
||||
private final AuthenticationMechanism apiAuthenticationMechanism1 =
|
||||
mock(AuthenticationMechanism.class);
|
||||
private final AuthenticationMechanism apiAuthenticationMechanism2 =
|
||||
mock(AuthenticationMechanism.class);
|
||||
private final LegacyAuthenticationMechanism legacyAuthenticationMechanism =
|
||||
mock(LegacyAuthenticationMechanism.class);
|
||||
|
||||
private Optional<AuthResult> authorize(AuthLevel authLevel, UserPolicy userPolicy) {
|
||||
return new RequestAuthenticator(
|
||||
ImmutableList.of(apiAuthenticationMechanism1, apiAuthenticationMechanism2),
|
||||
legacyAuthenticationMechanism)
|
||||
.authorize(AuthSettings.create(ImmutableList.of(API, LEGACY), authLevel, userPolicy), req);
|
||||
}
|
||||
|
||||
private AuthResult authenticate(AuthMethod... methods) {
|
||||
return new RequestAuthenticator(
|
||||
ImmutableList.of(apiAuthenticationMechanism1, apiAuthenticationMechanism2),
|
||||
legacyAuthenticationMechanism)
|
||||
.authenticate(AuthSettings.create(ImmutableList.copyOf(methods), NONE, PUBLIC), req);
|
||||
}
|
||||
|
||||
@BeforeEach
|
||||
void beforeEach() {
|
||||
when(req.getMethod()).thenReturn("POST");
|
||||
}
|
||||
|
||||
private RequestAuthenticator createRequestAuthenticator(UserService userService) {
|
||||
return new RequestAuthenticator(
|
||||
ImmutableList.of(
|
||||
new OAuthAuthenticationMechanism(
|
||||
fakeOAuthService,
|
||||
ImmutableSet.of("test-scope1", "test-scope2", "test-scope3"),
|
||||
ImmutableSet.of("test-scope1", "test-scope2"),
|
||||
ImmutableSet.of("test-client-id", "other-test-client-id"))),
|
||||
new LegacyAuthenticationMechanism(userService, xsrfTokenManager));
|
||||
}
|
||||
|
||||
private Optional<AuthResult> runTest(UserService userService, AuthSettings auth) {
|
||||
return createRequestAuthenticator(userService).authorize(auth, req);
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(NOT_AUTHENTICATED);
|
||||
when(apiAuthenticationMechanism2.authenticate(req)).thenReturn(NOT_AUTHENTICATED);
|
||||
when(legacyAuthenticationMechanism.authenticate(req)).thenReturn(NOT_AUTHENTICATED);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testNoAuthNeeded_noneFound() {
|
||||
Optional<AuthResult> authResult = runTest(mockUserService, AUTH_NONE);
|
||||
|
||||
verifyNoInteractions(mockUserService);
|
||||
assertThat(authResult).isPresent();
|
||||
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.NONE);
|
||||
void testAuthorize_noneRequired() {
|
||||
for (AuthResult resultFound :
|
||||
ImmutableList.of(NOT_AUTHENTICATED, APP_AUTH, USER_ADMIN_AUTH, USER_PUBLIC_AUTH)) {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(resultFound);
|
||||
assertThat(authorize(NONE, PUBLIC)).hasValue(resultFound);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAnyUserAnyMethod_notLoggedIn() {
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_ANY_METHOD);
|
||||
void testAuthorize_appPublicRequired() {
|
||||
authorize(APP, PUBLIC);
|
||||
assertThat(authorize(APP, PUBLIC)).isEmpty();
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
for (AuthResult resultFound : ImmutableList.of(APP_AUTH, USER_ADMIN_AUTH, USER_PUBLIC_AUTH)) {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(resultFound);
|
||||
assertThat(authorize(APP, PUBLIC)).hasValue(resultFound);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAnyUserAnyMethod_xsrfFailure() {
|
||||
fakeUserService.setUser(testUser, false);
|
||||
void testAuthorize_appAdminRequired() {
|
||||
for (AuthResult resultFound : ImmutableList.of(NOT_AUTHENTICATED, USER_PUBLIC_AUTH)) {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(resultFound);
|
||||
assertThat(authorize(APP, ADMIN)).isEmpty();
|
||||
}
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_ANY_METHOD);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
for (AuthResult resultFound : ImmutableList.of(APP_AUTH, USER_ADMIN_AUTH)) {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(resultFound);
|
||||
assertThat(authorize(APP, ADMIN)).hasValue(resultFound);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAnyUserAnyMethod_success() {
|
||||
fakeUserService.setUser(testUser, false /* isAdmin */);
|
||||
when(req.getHeader(XsrfTokenManager.X_CSRF_TOKEN))
|
||||
.thenReturn(xsrfTokenManager.generateToken(testUser.getEmail()));
|
||||
void testAuthorize_userPublicRequired() {
|
||||
for (AuthResult resultFound : ImmutableList.of(NOT_AUTHENTICATED, APP_AUTH)) {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(resultFound);
|
||||
assertThat(authorize(USER, PUBLIC)).isEmpty();
|
||||
}
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_ANY_METHOD);
|
||||
|
||||
assertThat(authResult).isPresent();
|
||||
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
||||
assertThat(authResult.get().userAuthInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().appEngineUser()).hasValue(testUser);
|
||||
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isFalse();
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isEmpty();
|
||||
for (AuthResult resultFound : ImmutableList.of(USER_PUBLIC_AUTH, USER_ADMIN_AUTH)) {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(resultFound);
|
||||
assertThat(authorize(USER, PUBLIC)).hasValue(resultFound);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAnyUserAnyMethod_xsrfNotRequiredForGet() {
|
||||
fakeUserService.setUser(testUser, false);
|
||||
when(req.getMethod()).thenReturn("GET");
|
||||
void testAuthorize_userAdminRequired() {
|
||||
for (AuthResult resultFound : ImmutableList.of(NOT_AUTHENTICATED, APP_AUTH, USER_PUBLIC_AUTH)) {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(resultFound);
|
||||
assertThat(authorize(USER, ADMIN)).isEmpty();
|
||||
}
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_ANY_METHOD);
|
||||
|
||||
assertThat(authResult).isPresent();
|
||||
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
||||
assertThat(authResult.get().userAuthInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().appEngineUser()).hasValue(testUser);
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isEmpty();
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(USER_ADMIN_AUTH);
|
||||
assertThat(authorize(USER, ADMIN)).hasValue(USER_ADMIN_AUTH);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAdminUserAnyMethod_notLoggedIn() {
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ADMIN_USER_ANY_METHOD);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
void testAuthenticate_apiFirst() {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(APP_AUTH);
|
||||
assertThat(authenticate(API, LEGACY)).isEqualTo(APP_AUTH);
|
||||
verify(apiAuthenticationMechanism1).authenticate(req);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism1);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism2);
|
||||
verifyNoMoreInteractions(legacyAuthenticationMechanism);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAdminUserAnyMethod_notAdminUser() {
|
||||
fakeUserService.setUser(testUser, false /* isAdmin */);
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ADMIN_USER_ANY_METHOD);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
void testAuthenticate_apiSecond() {
|
||||
when(apiAuthenticationMechanism2.authenticate(req)).thenReturn(APP_AUTH);
|
||||
assertThat(authenticate(API, LEGACY)).isEqualTo(APP_AUTH);
|
||||
verify(apiAuthenticationMechanism1).authenticate(req);
|
||||
verify(apiAuthenticationMechanism2).authenticate(req);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism1);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism2);
|
||||
verifyNoMoreInteractions(legacyAuthenticationMechanism);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAdminUserAnyMethod_xsrfFailure() {
|
||||
fakeUserService.setUser(testUser, true);
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ADMIN_USER_ANY_METHOD);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
void testAuthenticate_legacy() {
|
||||
when(legacyAuthenticationMechanism.authenticate(req)).thenReturn(APP_AUTH);
|
||||
assertThat(authenticate(API, LEGACY)).isEqualTo(APP_AUTH);
|
||||
verify(apiAuthenticationMechanism1).authenticate(req);
|
||||
verify(apiAuthenticationMechanism2).authenticate(req);
|
||||
verify(legacyAuthenticationMechanism).authenticate(req);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism1);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism2);
|
||||
verifyNoMoreInteractions(legacyAuthenticationMechanism);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAdminUserAnyMethod_success() {
|
||||
fakeUserService.setUser(testUser, true /* isAdmin */);
|
||||
when(req.getHeader(XsrfTokenManager.X_CSRF_TOKEN))
|
||||
.thenReturn(xsrfTokenManager.generateToken(testUser.getEmail()));
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ADMIN_USER_ANY_METHOD);
|
||||
|
||||
assertThat(authResult).isPresent();
|
||||
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
||||
assertThat(authResult.get().userAuthInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().appEngineUser()).hasValue(testUser);
|
||||
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isTrue();
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isEmpty();
|
||||
void testAuthenticate_returnFirstResult() {
|
||||
// API auth 2 returns an authenticted auth result, so we don't bother trying the next auth
|
||||
// (legacy auth).
|
||||
when(apiAuthenticationMechanism2.authenticate(req)).thenReturn(APP_AUTH);
|
||||
when(legacyAuthenticationMechanism.authenticate(req)).thenReturn(USER_PUBLIC_AUTH);
|
||||
assertThat(authenticate(API, LEGACY)).isEqualTo(APP_AUTH);
|
||||
verify(apiAuthenticationMechanism1).authenticate(req);
|
||||
verify(apiAuthenticationMechanism2).authenticate(req);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism1);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism2);
|
||||
verifyNoMoreInteractions(legacyAuthenticationMechanism);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testOAuth_success() {
|
||||
fakeOAuthService.setUser(testUser);
|
||||
fakeOAuthService.setOAuthEnabled(true);
|
||||
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_NO_LEGACY);
|
||||
|
||||
assertThat(authResult).isPresent();
|
||||
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
||||
assertThat(authResult.get().userAuthInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().appEngineUser()).hasValue(testUser);
|
||||
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isFalse();
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().authorizedScopes())
|
||||
.containsAtLeast("test-scope1", "test-scope2");
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().oauthClientId())
|
||||
.isEqualTo("test-client-id");
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().rawAccessToken())
|
||||
.isEqualTo("TOKEN");
|
||||
void testAuthenticate_notAuthenticated() {
|
||||
assertThat(authenticate(API, LEGACY)).isEqualTo(NOT_AUTHENTICATED);
|
||||
verify(apiAuthenticationMechanism1).authenticate(req);
|
||||
verify(apiAuthenticationMechanism2).authenticate(req);
|
||||
verify(legacyAuthenticationMechanism).authenticate(req);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism1);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism2);
|
||||
verifyNoMoreInteractions(legacyAuthenticationMechanism);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testOAuthAdmin_success() {
|
||||
fakeOAuthService.setUser(testUser);
|
||||
fakeOAuthService.setUserAdmin(true);
|
||||
fakeOAuthService.setOAuthEnabled(true);
|
||||
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_NO_LEGACY);
|
||||
|
||||
assertThat(authResult).isPresent();
|
||||
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
||||
assertThat(authResult.get().userAuthInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().appEngineUser()).hasValue(testUser);
|
||||
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isTrue();
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().authorizedScopes())
|
||||
.containsAtLeast("test-scope1", "test-scope2");
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().oauthClientId())
|
||||
.isEqualTo("test-client-id");
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().rawAccessToken())
|
||||
.isEqualTo("TOKEN");
|
||||
void testAuthenticate_apiOnly() {
|
||||
when(legacyAuthenticationMechanism.authenticate(req)).thenReturn(USER_PUBLIC_AUTH);
|
||||
assertThat(authenticate(API)).isEqualTo(NOT_AUTHENTICATED);
|
||||
verify(apiAuthenticationMechanism1).authenticate(req);
|
||||
verify(apiAuthenticationMechanism2).authenticate(req);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism1);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism2);
|
||||
verifyNoMoreInteractions(legacyAuthenticationMechanism);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testOAuthMissingAuthenticationToken_failure() {
|
||||
fakeOAuthService.setUser(testUser);
|
||||
fakeOAuthService.setOAuthEnabled(true);
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_NO_LEGACY);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
void testAuthenticate_legacyOnly() {
|
||||
when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(USER_PUBLIC_AUTH);
|
||||
assertThat(authenticate(LEGACY)).isEqualTo(NOT_AUTHENTICATED);
|
||||
verify(legacyAuthenticationMechanism).authenticate(req);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism1);
|
||||
verifyNoMoreInteractions(apiAuthenticationMechanism2);
|
||||
verifyNoMoreInteractions(legacyAuthenticationMechanism);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testOAuthClientIdMismatch_failure() {
|
||||
fakeOAuthService.setUser(testUser);
|
||||
fakeOAuthService.setOAuthEnabled(true);
|
||||
fakeOAuthService.setClientId("wrong-client-id");
|
||||
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_NO_LEGACY);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
void testOAuthNoScopes_failure() {
|
||||
fakeOAuthService.setUser(testUser);
|
||||
fakeOAuthService.setOAuthEnabled(true);
|
||||
fakeOAuthService.setAuthorizedScopes();
|
||||
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_NO_LEGACY);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
void testOAuthMissingScope_failure() {
|
||||
fakeOAuthService.setUser(testUser);
|
||||
fakeOAuthService.setOAuthEnabled(true);
|
||||
fakeOAuthService.setAuthorizedScopes("test-scope1", "test-scope3");
|
||||
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_NO_LEGACY);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
void testOAuthExtraScope_success() {
|
||||
fakeOAuthService.setUser(testUser);
|
||||
fakeOAuthService.setOAuthEnabled(true);
|
||||
fakeOAuthService.setAuthorizedScopes("test-scope1", "test-scope2", "test-scope3");
|
||||
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_NO_LEGACY);
|
||||
|
||||
assertThat(authResult).isPresent();
|
||||
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
||||
assertThat(authResult.get().userAuthInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().appEngineUser()).hasValue(testUser);
|
||||
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isFalse();
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isPresent();
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().authorizedScopes())
|
||||
.containsAtLeast("test-scope1", "test-scope2", "test-scope3");
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().oauthClientId())
|
||||
.isEqualTo("test-client-id");
|
||||
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().rawAccessToken())
|
||||
.isEqualTo("TOKEN");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAnyUserNoLegacy_failureWithLegacyUser() {
|
||||
fakeUserService.setUser(testUser, false /* isAdmin */);
|
||||
|
||||
Optional<AuthResult> authResult = runTest(fakeUserService, AUTH_ANY_USER_NO_LEGACY);
|
||||
|
||||
assertThat(authResult).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
void testCheckAuthConfig_noMethods_failure() {
|
||||
void testFailure_checkAuthConfig_noMethods() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> RequestAuthenticator.checkAuthConfig(AUTH_NO_METHODS));
|
||||
() ->
|
||||
RequestAuthenticator.checkAuthConfig(
|
||||
AuthSettings.create(ImmutableList.of(), NONE, PUBLIC)));
|
||||
assertThat(thrown).hasMessageThat().contains("Must specify at least one auth method");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testCheckAuthConfig_wrongMethodOrdering_failure() {
|
||||
void testFailure_checkAuthConfig_wrongMethodOrder() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> RequestAuthenticator.checkAuthConfig(AUTH_WRONG_METHOD_ORDERING));
|
||||
() ->
|
||||
RequestAuthenticator.checkAuthConfig(
|
||||
AuthSettings.create(ImmutableList.of(LEGACY, API), NONE, PUBLIC)));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains("Auth methods must be unique and strictly in order - API, LEGACY");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testCheckAuthConfig_noneAuthLevelRequiresAdmin_failure() {
|
||||
void testFailure_CheckAuthConfig_duplicateMethods() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> RequestAuthenticator.checkAuthConfig(AUTH_NONE_REQUIRES_ADMIN));
|
||||
() ->
|
||||
RequestAuthenticator.checkAuthConfig(
|
||||
AuthSettings.create(ImmutableList.of(API, API), NONE, PUBLIC)));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains("Auth methods must be unique and strictly in order - API, LEGACY");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testFailure_checkAuthConfig_noneAuthLevelRequiresAdmin() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() ->
|
||||
RequestAuthenticator.checkAuthConfig(
|
||||
AuthSettings.create(ImmutableList.of(API, LEGACY), NONE, ADMIN)));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains("Actions with minimal auth level at NONE should not specify ADMIN user policy");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testCheckAuthConfig_DuplicateMethods_failure() {
|
||||
IllegalArgumentException thrown =
|
||||
assertThrows(
|
||||
IllegalArgumentException.class,
|
||||
() -> RequestAuthenticator.checkAuthConfig(AUTH_DUPLICATE_METHODS));
|
||||
assertThat(thrown)
|
||||
.hasMessageThat()
|
||||
.contains("Auth methods must be unique and strictly in order - API, LEGACY");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,13 +16,15 @@ package google.registry.security;
|
||||
|
||||
import static com.google.common.truth.Truth.assertThat;
|
||||
import static google.registry.util.DateTimeUtils.START_OF_TIME;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import com.google.appengine.api.users.User;
|
||||
import com.google.appengine.api.users.UserService;
|
||||
import com.google.common.base.Splitter;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.testing.FakeClock;
|
||||
import google.registry.testing.FakeUserService;
|
||||
import org.joda.time.Duration;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
@@ -37,14 +39,16 @@ class XsrfTokenManagerTest {
|
||||
|
||||
private final User testUser = new User("test@example.com", "test@example.com");
|
||||
private final FakeClock clock = new FakeClock(START_OF_TIME);
|
||||
private final FakeUserService userService = new FakeUserService();
|
||||
private final UserService userService = mock(UserService.class);
|
||||
private final XsrfTokenManager xsrfTokenManager = new XsrfTokenManager(clock, userService);
|
||||
|
||||
private String token;
|
||||
|
||||
@BeforeEach
|
||||
void beforeEach() {
|
||||
userService.setUser(testUser, false);
|
||||
when(userService.isUserLoggedIn()).thenReturn(true);
|
||||
when(userService.getCurrentUser()).thenReturn(testUser);
|
||||
when(userService.isUserAdmin()).thenReturn(false);
|
||||
token = xsrfTokenManager.generateToken(testUser.getEmail());
|
||||
}
|
||||
|
||||
|
||||
@@ -84,7 +84,7 @@ public final class RegistryTestServer {
|
||||
|
||||
private final TestServer server;
|
||||
|
||||
/** @see TestServer#TestServer(HostAndPort, ImmutableMap, ImmutableList, ImmutableList) */
|
||||
/** @see TestServer#TestServer(HostAndPort, ImmutableMap, ImmutableList) */
|
||||
public RegistryTestServer(HostAndPort address) {
|
||||
server = new TestServer(address, RUNFILES, ROUTES);
|
||||
}
|
||||
@@ -104,7 +104,7 @@ public final class RegistryTestServer {
|
||||
server.stop();
|
||||
}
|
||||
|
||||
/** @see TestServer#getUrl(java.lang.String) */
|
||||
/** @see TestServer#getUrl(String) */
|
||||
public URL getUrl(String path) {
|
||||
return server.getUrl(path);
|
||||
}
|
||||
|
||||
@@ -25,7 +25,6 @@ import google.registry.model.console.UserRoles;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTransactionManagerExtension;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.OidcTokenAuthenticationMechanism;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.UserInfo;
|
||||
@@ -148,7 +147,7 @@ public final class RegistryTestServerMain {
|
||||
.setRegistryLockPassword("registryLockPassword")
|
||||
.build();
|
||||
OidcTokenAuthenticationMechanism.setAuthResultForTesting(
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user)));
|
||||
AuthResult.createUser(UserAuthInfo.create(user)));
|
||||
new JpaTestExtensions.Builder().buildIntegrationTestExtension().beforeEach(null);
|
||||
JpaTransactionManagerExtension.loadInitialData();
|
||||
System.out.printf("%sLoading fixtures...%s\n", BLUE, RESET);
|
||||
|
||||
@@ -1,130 +0,0 @@
|
||||
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package google.registry.testing;
|
||||
|
||||
import com.google.appengine.api.oauth.OAuthRequestException;
|
||||
import com.google.appengine.api.oauth.OAuthService;
|
||||
import com.google.appengine.api.users.User;
|
||||
import com.google.common.collect.ImmutableList;
|
||||
import java.util.List;
|
||||
|
||||
/** A fake {@link OAuthService} implementation for testing. */
|
||||
public class FakeOAuthService implements OAuthService {
|
||||
|
||||
private boolean isOAuthEnabled;
|
||||
private User currentUser;
|
||||
private boolean isUserAdmin;
|
||||
private String clientId;
|
||||
private ImmutableList<String> authorizedScopes;
|
||||
|
||||
public FakeOAuthService(
|
||||
boolean isOAuthEnabled,
|
||||
User currentUser,
|
||||
boolean isUserAdmin,
|
||||
String clientId,
|
||||
List<String> authorizedScopes) {
|
||||
this.isOAuthEnabled = isOAuthEnabled;
|
||||
this.currentUser = currentUser;
|
||||
this.isUserAdmin = isUserAdmin;
|
||||
this.clientId = clientId;
|
||||
this.authorizedScopes = ImmutableList.copyOf(authorizedScopes);
|
||||
}
|
||||
|
||||
public void setOAuthEnabled(boolean isOAuthEnabled) {
|
||||
this.isOAuthEnabled = isOAuthEnabled;
|
||||
}
|
||||
|
||||
public void setUser(User currentUser) {
|
||||
this.currentUser = currentUser;
|
||||
}
|
||||
|
||||
public void setUserAdmin(boolean isUserAdmin) {
|
||||
this.isUserAdmin = isUserAdmin;
|
||||
}
|
||||
|
||||
public void setClientId(String clientId) {
|
||||
this.clientId = clientId;
|
||||
}
|
||||
|
||||
public void setAuthorizedScopes(String... scopes) {
|
||||
this.authorizedScopes = ImmutableList.copyOf(scopes);
|
||||
}
|
||||
|
||||
@Override
|
||||
public User getCurrentUser() throws OAuthRequestException {
|
||||
if (!isOAuthEnabled) {
|
||||
throw new OAuthRequestException("invalid OAuth request");
|
||||
}
|
||||
return currentUser;
|
||||
}
|
||||
|
||||
@Override
|
||||
public User getCurrentUser(String scope) throws OAuthRequestException {
|
||||
return getCurrentUser();
|
||||
}
|
||||
|
||||
@Override
|
||||
public User getCurrentUser(String... scopes) throws OAuthRequestException {
|
||||
return getCurrentUser();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserAdmin() throws OAuthRequestException {
|
||||
if (!isOAuthEnabled) {
|
||||
throw new OAuthRequestException("invalid OAuth request");
|
||||
}
|
||||
return isUserAdmin;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserAdmin(String scope) throws OAuthRequestException {
|
||||
return isUserAdmin();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserAdmin(String... scopes) throws OAuthRequestException {
|
||||
return isUserAdmin();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getClientId(String scope) throws OAuthRequestException {
|
||||
if (!isOAuthEnabled) {
|
||||
throw new OAuthRequestException("invalid OAuth request");
|
||||
}
|
||||
return clientId;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getClientId(String... scopes) throws OAuthRequestException {
|
||||
if (!isOAuthEnabled) {
|
||||
throw new OAuthRequestException("invalid OAuth request");
|
||||
}
|
||||
return clientId;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String[] getAuthorizedScopes(String... scopes) throws OAuthRequestException {
|
||||
if (!isOAuthEnabled) {
|
||||
throw new OAuthRequestException("invalid OAuth request");
|
||||
}
|
||||
return authorizedScopes.toArray(new String[0]);
|
||||
}
|
||||
|
||||
@Deprecated
|
||||
@Override
|
||||
public String getOAuthConsumerKey() {
|
||||
throw new UnsupportedOperationException();
|
||||
}
|
||||
}
|
||||
@@ -1,76 +0,0 @@
|
||||
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package google.registry.testing;
|
||||
|
||||
import com.google.appengine.api.users.User;
|
||||
import com.google.appengine.api.users.UserService;
|
||||
import google.registry.model.annotations.DeleteAfterMigration;
|
||||
import java.util.Set;
|
||||
import javax.annotation.Nullable;
|
||||
|
||||
/** Fake implementation of {@link UserService} for testing. */
|
||||
@DeleteAfterMigration
|
||||
public class FakeUserService implements UserService {
|
||||
|
||||
@Nullable private User user = null;
|
||||
private boolean isAdmin = false;
|
||||
|
||||
public void setUser(@Nullable User user, boolean isAdmin) {
|
||||
this.user = user;
|
||||
this.isAdmin = isAdmin;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String createLoginURL(String destinationURL) {
|
||||
return String.format("/login?dest=%s", destinationURL);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String createLoginURL(String destinationURL, String authDomain) {
|
||||
return createLoginURL(destinationURL);
|
||||
}
|
||||
|
||||
@Deprecated
|
||||
@Override
|
||||
public String createLoginURL(String destinationURL, String authDomain, String federatedIdentity,
|
||||
Set<String> attributesRequest) {
|
||||
throw new UnsupportedOperationException();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String createLogoutURL(String destinationURL) {
|
||||
return String.format("/logout?dest=%s", destinationURL);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String createLogoutURL(String destinationURL, String authDomain) {
|
||||
return createLogoutURL(destinationURL);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserLoggedIn() {
|
||||
return user != null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserAdmin() {
|
||||
return isAdmin;
|
||||
}
|
||||
|
||||
@Override
|
||||
public User getCurrentUser() {
|
||||
return user;
|
||||
}
|
||||
}
|
||||
@@ -72,7 +72,7 @@ class AuthModuleTest {
|
||||
}
|
||||
})
|
||||
// We need to set the following fields because they are checked when
|
||||
// Credential#setRefreshToken is called. However they are not actually persisted in the
|
||||
// Credential#setRefreshToken is called. However, they are not actually persisted in the
|
||||
// DataStore and not actually used in tests.
|
||||
.setJsonFactory(new GsonFactory())
|
||||
.setTransport(new NetHttpTransport())
|
||||
@@ -104,7 +104,7 @@ class AuthModuleTest {
|
||||
AuthModule.provideClientScopeQualifier("client-id", ImmutableList.of("foo", "bar"));
|
||||
|
||||
// If we change the way we encode client id and scopes, this assertion will break. That's
|
||||
// probably ok and you can just change the text. The things you have to be aware of are:
|
||||
// probably ok, and you can just change the text. The things you have to be aware of are:
|
||||
// - Names in the new encoding should have a low risk of collision with the old encoding.
|
||||
// - Changing the encoding will force all OAuth users of the nomulus tool to do a new login
|
||||
// (existing credentials will not be used).
|
||||
@@ -155,7 +155,7 @@ class AuthModuleTest {
|
||||
AuthModule.provideClientScopeQualifier(AuthModule.provideClientId(clientSecrets), scopes));
|
||||
}
|
||||
|
||||
private GoogleClientSecrets getSecrets() {
|
||||
private static GoogleClientSecrets getSecrets() {
|
||||
return new GoogleClientSecrets()
|
||||
.setInstalled(
|
||||
AuthModule.provideDefaultInstalledDetails()
|
||||
@@ -166,7 +166,8 @@ class AuthModuleTest {
|
||||
@Test
|
||||
void test_provideLocalCredentialJson() {
|
||||
String credentialJson =
|
||||
AuthModule.provideLocalCredentialJson(this::getSecrets, this::getCredential, null);
|
||||
AuthModule.provideLocalCredentialJson(
|
||||
AuthModuleTest::getSecrets, this::getCredential, null);
|
||||
Map<String, String> jsonMap =
|
||||
new Gson().fromJson(credentialJson, new TypeToken<Map<String, String>>() {}.getType());
|
||||
assertThat(jsonMap.get("type")).isEqualTo("authorized_user");
|
||||
@@ -182,7 +183,7 @@ class AuthModuleTest {
|
||||
Files.write(credentialFile.toPath(), "{some_field: some_value}".getBytes(UTF_8));
|
||||
String credentialJson =
|
||||
AuthModule.provideLocalCredentialJson(
|
||||
this::getSecrets, this::getCredential, credentialFile.getCanonicalPath());
|
||||
AuthModuleTest::getSecrets, this::getCredential, credentialFile.getCanonicalPath());
|
||||
assertThat(credentialJson).isEqualTo("{some_field: some_value}");
|
||||
}
|
||||
|
||||
|
||||
@@ -18,9 +18,6 @@ import static com.google.common.truth.Truth.assertThat;
|
||||
import static google.registry.tools.RequestFactoryModule.REQUEST_TIMEOUT_MS;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import com.google.api.client.http.GenericUrl;
|
||||
@@ -35,6 +32,7 @@ import com.google.auth.oauth2.UserCredentials;
|
||||
import google.registry.config.RegistryConfig;
|
||||
import google.registry.testing.SystemPropertyExtension;
|
||||
import google.registry.util.GoogleCredentialsBundle;
|
||||
import java.util.List;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
@@ -50,7 +48,6 @@ public class RequestFactoryModuleTest {
|
||||
final SystemPropertyExtension systemPropertyExtension = new SystemPropertyExtension();
|
||||
|
||||
@Mock public GoogleCredentialsBundle credentialsBundle;
|
||||
@Mock public HttpRequestInitializer httpRequestInitializer;
|
||||
|
||||
@BeforeEach
|
||||
void beforeEach() {
|
||||
@@ -64,12 +61,11 @@ public class RequestFactoryModuleTest {
|
||||
RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = true;
|
||||
try {
|
||||
HttpRequestFactory factory =
|
||||
RequestFactoryModule.provideHttpRequestFactory(credentialsBundle, "client-id", false);
|
||||
RequestFactoryModule.provideHttpRequestFactory(credentialsBundle, "client-id");
|
||||
HttpRequestInitializer initializer = factory.getInitializer();
|
||||
assertThat(initializer).isNotNull();
|
||||
HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
|
||||
initializer.initialize(request);
|
||||
verifyNoInteractions(httpRequestInitializer);
|
||||
} finally {
|
||||
RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = origIsLocal;
|
||||
}
|
||||
@@ -77,7 +73,6 @@ public class RequestFactoryModuleTest {
|
||||
|
||||
@Test
|
||||
void test_provideHttpRequestFactory_remote() throws Exception {
|
||||
when(credentialsBundle.getHttpRequestInitializer()).thenReturn(httpRequestInitializer);
|
||||
// Mock the request/response to/from the OIDC server requesting an ID token
|
||||
UserCredentials mockUserCredentials = mock(UserCredentials.class);
|
||||
when(credentialsBundle.getGoogleCredentials()).thenReturn(mockUserCredentials);
|
||||
@@ -97,23 +92,15 @@ public class RequestFactoryModuleTest {
|
||||
boolean origIsLocal = RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal;
|
||||
RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = false;
|
||||
try {
|
||||
// With OAuth header.
|
||||
HttpRequestFactory factory =
|
||||
RequestFactoryModule.provideHttpRequestFactory(credentialsBundle, "clientId", true);
|
||||
RequestFactoryModule.provideHttpRequestFactory(credentialsBundle, "clientId");
|
||||
HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
|
||||
assertThat(request.getHeaders().get("Proxy-Authorization")).isEqualTo("Bearer oidc.token");
|
||||
@SuppressWarnings("unchecked")
|
||||
List<String> authHeaders = (List<String>) request.getHeaders().get("Authorization");
|
||||
assertThat(authHeaders.size()).isEqualTo(1);
|
||||
assertThat(authHeaders.get(0)).isEqualTo("Bearer oidc.token");
|
||||
assertThat(request.getConnectTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
|
||||
assertThat(request.getReadTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
|
||||
verify(httpRequestInitializer).initialize(request);
|
||||
verifyNoMoreInteractions(httpRequestInitializer);
|
||||
// No OAuth header.
|
||||
factory =
|
||||
RequestFactoryModule.provideHttpRequestFactory(credentialsBundle, "clientId", false);
|
||||
request = factory.buildGetRequest(new GenericUrl("http://localhost"));
|
||||
assertThat(request.getHeaders().get("Proxy-Authorization")).isEqualTo("Bearer oidc.token");
|
||||
assertThat(request.getConnectTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
|
||||
assertThat(request.getReadTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
|
||||
verifyNoMoreInteractions(httpRequestInitializer);
|
||||
} finally {
|
||||
RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = origIsLocal;
|
||||
}
|
||||
|
||||
@@ -27,7 +27,6 @@ import google.registry.model.console.UserRoles;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.request.RequestModule;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.DatabaseHelper;
|
||||
import google.registry.testing.FakeResponse;
|
||||
@@ -55,8 +54,7 @@ public class ConsoleDomainGetActionTest {
|
||||
void testSuccess_fullJsonRepresentation() {
|
||||
ConsoleDomainGetAction action =
|
||||
createAction(
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(
|
||||
new UserRoles.Builder()
|
||||
@@ -85,7 +83,8 @@ public class ConsoleDomainGetActionTest {
|
||||
|
||||
@Test
|
||||
void testFailure_appAuth() {
|
||||
ConsoleDomainGetAction action = createAction(AuthResult.create(AuthLevel.APP), "exists.tld");
|
||||
ConsoleDomainGetAction action =
|
||||
createAction(AuthResult.createApp("service@registry.example"), "exists.tld");
|
||||
action.run();
|
||||
assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
|
||||
}
|
||||
@@ -94,8 +93,7 @@ public class ConsoleDomainGetActionTest {
|
||||
void testFailure_wrongTypeOfUser() {
|
||||
ConsoleDomainGetAction action =
|
||||
createAction(
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(mock(com.google.appengine.api.users.User.class), false)),
|
||||
"exists.tld");
|
||||
action.run();
|
||||
@@ -106,8 +104,7 @@ public class ConsoleDomainGetActionTest {
|
||||
void testFailure_noAccessToRegistrar() {
|
||||
ConsoleDomainGetAction action =
|
||||
createAction(
|
||||
AuthResult.create(
|
||||
AuthLevel.USER, UserAuthInfo.create(createUser(new UserRoles.Builder().build()))),
|
||||
AuthResult.createUser(UserAuthInfo.create(createUser(new UserRoles.Builder().build()))),
|
||||
"exists.tld");
|
||||
action.run();
|
||||
assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
|
||||
@@ -117,8 +114,7 @@ public class ConsoleDomainGetActionTest {
|
||||
void testFailure_nonexistentDomain() {
|
||||
ConsoleDomainGetAction action =
|
||||
createAction(
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))),
|
||||
"nonexistent.tld");
|
||||
action.run();
|
||||
|
||||
@@ -24,7 +24,6 @@ import google.registry.model.console.UserRoles;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.request.RequestModule;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.FakeResponse;
|
||||
import java.io.IOException;
|
||||
@@ -50,8 +49,7 @@ class ConsoleUserDataActionTest {
|
||||
.setUserRoles(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build())
|
||||
.build();
|
||||
|
||||
ConsoleUserDataAction action =
|
||||
createAction(AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user)));
|
||||
ConsoleUserDataAction action = createAction(AuthResult.createUser(UserAuthInfo.create(user)));
|
||||
action.run();
|
||||
assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
|
||||
Map jsonObject = GSON.fromJson(response.getPayload(), Map.class);
|
||||
@@ -63,8 +61,7 @@ class ConsoleUserDataActionTest {
|
||||
void testFailure_notAConsoleUser() throws IOException {
|
||||
ConsoleUserDataAction action =
|
||||
createAction(
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
new com.google.appengine.api.users.User(
|
||||
"JohnDoe@theregistrar.com", "theregistrar.com"),
|
||||
|
||||
@@ -38,7 +38,6 @@ import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.request.Action;
|
||||
import google.registry.request.RequestModule;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.DeterministicStringGenerator;
|
||||
import google.registry.testing.FakeResponse;
|
||||
@@ -108,8 +107,7 @@ class RegistrarsActionTest {
|
||||
RegistrarsAction action =
|
||||
createAction(
|
||||
Action.Method.GET,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(
|
||||
new UserRoles.Builder().setGlobalRole(GlobalRole.SUPPORT_LEAD).build()))));
|
||||
@@ -129,8 +127,7 @@ class RegistrarsActionTest {
|
||||
RegistrarsAction action =
|
||||
createAction(
|
||||
Action.Method.GET,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))));
|
||||
action.run();
|
||||
@@ -151,8 +148,7 @@ class RegistrarsActionTest {
|
||||
RegistrarsAction action =
|
||||
createAction(
|
||||
Action.Method.POST,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
|
||||
action.run();
|
||||
assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
|
||||
@@ -180,8 +176,7 @@ class RegistrarsActionTest {
|
||||
RegistrarsAction action =
|
||||
createAction(
|
||||
Action.Method.POST,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
|
||||
action.run();
|
||||
@@ -200,8 +195,7 @@ class RegistrarsActionTest {
|
||||
RegistrarsAction action =
|
||||
createAction(
|
||||
Action.Method.POST,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
|
||||
action.run();
|
||||
assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
|
||||
@@ -215,8 +209,7 @@ class RegistrarsActionTest {
|
||||
RegistrarsAction action =
|
||||
createAction(
|
||||
Action.Method.GET,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(
|
||||
new UserRoles.Builder()
|
||||
|
||||
@@ -37,7 +37,6 @@ import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.request.Action;
|
||||
import google.registry.request.RequestModule;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.FakeResponse;
|
||||
import google.registry.ui.server.registrar.RegistrarConsoleModule;
|
||||
@@ -103,8 +102,7 @@ class ContactActionTest {
|
||||
ContactAction action =
|
||||
createAction(
|
||||
Action.Method.GET,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))),
|
||||
testRegistrar.getRegistrarId(),
|
||||
@@ -121,8 +119,7 @@ class ContactActionTest {
|
||||
ContactAction action =
|
||||
createAction(
|
||||
Action.Method.GET,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))),
|
||||
testRegistrar.getRegistrarId(),
|
||||
@@ -137,8 +134,7 @@ class ContactActionTest {
|
||||
ContactAction action =
|
||||
createAction(
|
||||
Action.Method.POST,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))),
|
||||
testRegistrar.getRegistrarId(),
|
||||
@@ -160,8 +156,7 @@ class ContactActionTest {
|
||||
ContactAction action =
|
||||
createAction(
|
||||
Action.Method.POST,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))),
|
||||
testRegistrar.getRegistrarId(),
|
||||
@@ -186,8 +181,7 @@ class ContactActionTest {
|
||||
ContactAction action =
|
||||
createAction(
|
||||
Action.Method.POST,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))),
|
||||
testRegistrar.getRegistrarId(),
|
||||
@@ -208,8 +202,7 @@ class ContactActionTest {
|
||||
ContactAction action =
|
||||
createAction(
|
||||
Action.Method.POST,
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(
|
||||
new UserRoles.Builder()
|
||||
|
||||
@@ -35,7 +35,6 @@ import google.registry.model.registrar.Registrar;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.request.RequestModule;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.FakeClock;
|
||||
@@ -92,8 +91,7 @@ class SecurityActionTest {
|
||||
clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
|
||||
SecurityAction action =
|
||||
createAction(
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))),
|
||||
testRegistrar.getRegistrarId());
|
||||
|
||||
@@ -33,7 +33,6 @@ import google.registry.model.registrar.Registrar;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.request.RequestModule;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
@@ -127,8 +126,7 @@ public class WhoisRegistrarFieldsActionTest {
|
||||
void testFailure_noAccessToRegistrar() throws Exception {
|
||||
Registrar newRegistrar = Registrar.loadByRegistrarIdCached("NewRegistrar").get();
|
||||
AuthResult onlyTheRegistrar =
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
new User.Builder()
|
||||
.setEmailAddress("email@email.example")
|
||||
@@ -147,8 +145,7 @@ public class WhoisRegistrarFieldsActionTest {
|
||||
}
|
||||
|
||||
private AuthResult defaultUserAuth() {
|
||||
return AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
return AuthResult.createUser(
|
||||
UserAuthInfo.create(
|
||||
new User.Builder()
|
||||
.setEmailAddress("email@email.example")
|
||||
|
||||
@@ -37,7 +37,6 @@ import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.request.Action.Method;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
@@ -93,7 +92,7 @@ public final class ConsoleOteSetupActionTest {
|
||||
ImmutableSetMultimap.of("unused", AuthenticatedRegistrarAccessor.Role.ADMIN));
|
||||
action.userService = UserServiceFactory.getUserService();
|
||||
action.xsrfTokenManager = new XsrfTokenManager(new FakeClock(), action.userService);
|
||||
action.authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user, false));
|
||||
action.authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
|
||||
action.sendEmailUtils =
|
||||
new SendEmailUtils(
|
||||
new InternetAddress("outgoing@registry.example"),
|
||||
|
||||
@@ -37,7 +37,6 @@ import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.request.Action.Method;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
@@ -93,7 +92,7 @@ final class ConsoleRegistrarCreatorActionTest {
|
||||
ImmutableSetMultimap.of("unused", AuthenticatedRegistrarAccessor.Role.ADMIN));
|
||||
action.userService = UserServiceFactory.getUserService();
|
||||
action.xsrfTokenManager = new XsrfTokenManager(new FakeClock(), action.userService);
|
||||
action.authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user, false));
|
||||
action.authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
|
||||
action.sendEmailUtils =
|
||||
new SendEmailUtils(
|
||||
new InternetAddress("outgoing@registry.example"),
|
||||
|
||||
@@ -32,7 +32,6 @@ import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.request.Action.Method;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
@@ -78,7 +77,7 @@ class ConsoleUiActionTest {
|
||||
action.xsrfTokenManager = new XsrfTokenManager(new FakeClock(), action.userService);
|
||||
action.method = Method.GET;
|
||||
action.paramClientId = Optional.empty();
|
||||
action.authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user, false));
|
||||
action.authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
|
||||
action.analyticsConfig = ImmutableMap.of("googleAnalyticsId", "sampleId");
|
||||
|
||||
action.registrarAccessor =
|
||||
|
||||
@@ -44,7 +44,6 @@ import google.registry.request.JsonActionRunner;
|
||||
import google.registry.request.JsonResponse;
|
||||
import google.registry.request.ResponseImpl;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.CloudTasksHelper;
|
||||
@@ -113,8 +112,7 @@ public abstract class RegistrarSettingsActionTestCase {
|
||||
gmailClient);
|
||||
action.registrarConsoleMetrics = new RegistrarConsoleMetrics();
|
||||
action.authResult =
|
||||
AuthResult.create(
|
||||
AuthLevel.USER,
|
||||
AuthResult.createUser(
|
||||
UserAuthInfo.create(new User("user@email.com", "email.com", "12345"), false));
|
||||
action.certificateChecker =
|
||||
new CertificateChecker(
|
||||
|
||||
@@ -40,7 +40,6 @@ import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.request.Action.Method;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.testing.FakeClock;
|
||||
@@ -75,7 +74,7 @@ final class RegistryLockGetActionTest {
|
||||
void beforeEach() {
|
||||
user = userFromRegistrarPoc(makeRegistrarContact3());
|
||||
fakeClock.setTo(DateTime.parse("2000-06-08T22:00:00.0Z"));
|
||||
authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user, false));
|
||||
authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
|
||||
accessor =
|
||||
AuthenticatedRegistrarAccessor.createForTesting(
|
||||
ImmutableSetMultimap.of(
|
||||
@@ -109,7 +108,7 @@ final class RegistryLockGetActionTest {
|
||||
.build())
|
||||
.build();
|
||||
|
||||
action.authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(consoleUser));
|
||||
action.authResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
|
||||
action.run();
|
||||
assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
|
||||
assertThat(GSON.fromJson(response.getPayload(), Map.class))
|
||||
@@ -336,7 +335,7 @@ final class RegistryLockGetActionTest {
|
||||
persistResource(makeRegistrar2().asBuilder().setRegistryLockAllowed(false).build());
|
||||
// disallow the other user
|
||||
persistResource(makeRegistrarContact2().asBuilder().setLoginEmailAddress(null).build());
|
||||
authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user, true));
|
||||
authResult = AuthResult.createUser(UserAuthInfo.create(user, true));
|
||||
accessor =
|
||||
AuthenticatedRegistrarAccessor.createForTesting(
|
||||
ImmutableSetMultimap.of(
|
||||
@@ -364,7 +363,7 @@ final class RegistryLockGetActionTest {
|
||||
void testSuccess_linkedToLoginContactEmail() {
|
||||
// Note that the email address is case-insensitive.
|
||||
user = new User("marla.singer@crr.com", "crr.com", user.getUserId());
|
||||
authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user, false));
|
||||
authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
|
||||
action =
|
||||
new RegistryLockGetAction(
|
||||
Method.GET, response, accessor, authResult, Optional.of("TheRegistrar"));
|
||||
|
||||
@@ -45,7 +45,6 @@ import google.registry.request.JsonActionRunner;
|
||||
import google.registry.request.JsonResponse;
|
||||
import google.registry.request.ResponseImpl;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
@@ -115,8 +114,7 @@ final class RegistryLockPostActionTest {
|
||||
when(mockRequest.getServerName()).thenReturn("registrarconsole.tld");
|
||||
|
||||
action =
|
||||
createAction(
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userWithLockPermission, false)));
|
||||
createAction(AuthResult.createUser(UserAuthInfo.create(userWithLockPermission, false)));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -154,9 +152,7 @@ final class RegistryLockPostActionTest {
|
||||
saveRegistryLock(
|
||||
createLock().asBuilder().isSuperuser(true).setLockCompletionTime(clock.nowUtc()).build());
|
||||
persistResource(domain.asBuilder().setStatusValues(REGISTRY_LOCK_STATUSES).build());
|
||||
action =
|
||||
createAction(
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userWithoutPermission, true)));
|
||||
action = createAction(AuthResult.createUser(UserAuthInfo.create(userWithoutPermission, true)));
|
||||
Map<String, ?> response = action.handleJsonRequest(unlockRequest());
|
||||
// we should still email the admin user's email address
|
||||
assertSuccess(response, "unlock", "johndoe@theregistrar.com");
|
||||
@@ -166,8 +162,7 @@ final class RegistryLockPostActionTest {
|
||||
void testSuccess_linkedToLoginEmail() throws Exception {
|
||||
userWithLockPermission = new User("Marla.Singer@crr.com", "crr.com");
|
||||
action =
|
||||
createAction(
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userWithLockPermission, false)));
|
||||
createAction(AuthResult.createUser(UserAuthInfo.create(userWithLockPermission, false)));
|
||||
Map<String, ?> response = action.handleJsonRequest(lockRequest());
|
||||
assertSuccess(response, "lock", "Marla.Singer.RegistryLock@crr.com");
|
||||
}
|
||||
@@ -205,18 +200,14 @@ final class RegistryLockPostActionTest {
|
||||
@Test
|
||||
void testSuccess_adminUser() throws Exception {
|
||||
// Admin user should be able to lock/unlock regardless -- and we use the admin user's email
|
||||
action =
|
||||
createAction(
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userWithoutPermission, true)));
|
||||
action = createAction(AuthResult.createUser(UserAuthInfo.create(userWithoutPermission, true)));
|
||||
Map<String, ?> response = action.handleJsonRequest(lockRequest());
|
||||
assertSuccess(response, "lock", "johndoe@theregistrar.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testSuccess_adminUser_doesNotRequirePassword() throws Exception {
|
||||
action =
|
||||
createAction(
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userWithoutPermission, true)));
|
||||
action = createAction(AuthResult.createUser(UserAuthInfo.create(userWithoutPermission, true)));
|
||||
Map<String, ?> response =
|
||||
action.handleJsonRequest(
|
||||
ImmutableMap.of(
|
||||
@@ -239,8 +230,7 @@ final class RegistryLockPostActionTest {
|
||||
.build())
|
||||
.setRegistryLockPassword("hi")
|
||||
.build();
|
||||
AuthResult consoleAuthResult =
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(consoleUser));
|
||||
AuthResult consoleAuthResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
|
||||
action = createAction(consoleAuthResult);
|
||||
Map<String, ?> response = action.handleJsonRequest(lockRequest());
|
||||
assertSuccess(response, "lock", "johndoe@theregistrar.com");
|
||||
@@ -253,8 +243,7 @@ final class RegistryLockPostActionTest {
|
||||
.setEmailAddress("johndoe@theregistrar.com")
|
||||
.setUserRoles(new UserRoles.Builder().setIsAdmin(true).build())
|
||||
.build();
|
||||
AuthResult consoleAuthResult =
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(consoleUser));
|
||||
AuthResult consoleAuthResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
|
||||
action = createAction(consoleAuthResult);
|
||||
Map<String, Object> requestMapWithoutPassword =
|
||||
ImmutableMap.of(
|
||||
@@ -286,7 +275,7 @@ final class RegistryLockPostActionTest {
|
||||
@Test
|
||||
void testFailure_unauthorizedRegistrarId() {
|
||||
AuthResult authResult =
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userWithLockPermission, false));
|
||||
AuthResult.createUser(UserAuthInfo.create(userWithLockPermission, false));
|
||||
action = createAction(authResult, ImmutableSet.of("TheRegistrar"));
|
||||
Map<String, ?> response =
|
||||
action.handleJsonRequest(
|
||||
@@ -358,9 +347,7 @@ final class RegistryLockPostActionTest {
|
||||
|
||||
@Test
|
||||
void testFailure_notEnabledForRegistrarPoc() {
|
||||
action =
|
||||
createAction(
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userWithoutPermission, false)));
|
||||
action = createAction(AuthResult.createUser(UserAuthInfo.create(userWithoutPermission, false)));
|
||||
Map<String, ?> response =
|
||||
action.handleJsonRequest(
|
||||
ImmutableMap.of(
|
||||
@@ -453,8 +440,7 @@ final class RegistryLockPostActionTest {
|
||||
.build())
|
||||
.setRegistryLockPassword("hi")
|
||||
.build();
|
||||
AuthResult consoleAuthResult =
|
||||
AuthResult.create(AuthLevel.USER, UserAuthInfo.create(consoleUser));
|
||||
AuthResult consoleAuthResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
|
||||
action = createAction(consoleAuthResult);
|
||||
Map<String, ?> response =
|
||||
action.handleJsonRequest(
|
||||
|
||||
@@ -43,7 +43,6 @@ import google.registry.model.tld.Tld;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions;
|
||||
import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
|
||||
import google.registry.request.auth.AuthResult;
|
||||
import google.registry.request.auth.AuthSettings.AuthLevel;
|
||||
import google.registry.request.auth.UserAuthInfo;
|
||||
import google.registry.security.XsrfTokenManager;
|
||||
import google.registry.testing.CloudTasksHelper;
|
||||
@@ -132,7 +131,7 @@ final class RegistryLockVerifyActionTest {
|
||||
|
||||
@Test
|
||||
void testSuccess_adminLock_createsOnlyHistoryEntry() {
|
||||
action.authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user, true));
|
||||
action.authResult = AuthResult.createUser(UserAuthInfo.create(user, true));
|
||||
saveRegistryLock(createLock().asBuilder().isSuperuser(true).build());
|
||||
|
||||
action.run();
|
||||
@@ -332,7 +331,7 @@ final class RegistryLockVerifyActionTest {
|
||||
stringGenerator, "adminreg", cloudTasksHelper.getTestCloudTasksUtils()),
|
||||
lockVerificationCode,
|
||||
isLock);
|
||||
authResult = AuthResult.create(AuthLevel.USER, UserAuthInfo.create(user, false));
|
||||
authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
|
||||
action.req = request;
|
||||
action.response = response;
|
||||
action.authResult = authResult;
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY
|
||||
/_dr/epp EppTlsAction POST n API APP PUBLIC
|
||||
/_dr/epp EppTlsAction POST n API APP ADMIN
|
||||
/console-api/domain ConsoleDomainGetAction GET n API,LEGACY USER PUBLIC
|
||||
/console-api/registrars RegistrarsAction GET,POST n API,LEGACY USER PUBLIC
|
||||
/console-api/settings/contacts ContactAction GET,POST n API,LEGACY USER PUBLIC
|
||||
@@ -13,4 +13,4 @@ PATH CLASS METHODS OK AUT
|
||||
/registrar-settings RegistrarSettingsAction POST n API,LEGACY USER PUBLIC
|
||||
/registry-lock-get RegistryLockGetAction GET n API,LEGACY USER PUBLIC
|
||||
/registry-lock-post RegistryLockPostAction POST n API,LEGACY USER PUBLIC
|
||||
/registry-lock-verify RegistryLockVerifyAction GET n API,LEGACY NONE PUBLIC
|
||||
/registry-lock-verify RegistryLockVerifyAction GET n API,LEGACY NONE PUBLIC
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
PATH CLASS METHODS OK AUTH_METHODS MIN USER_POLICY
|
||||
/_dr/whois WhoisAction POST n API APP PUBLIC
|
||||
/_dr/whois WhoisAction POST n API APP ADMIN
|
||||
/check CheckApiAction GET n API,LEGACY NONE PUBLIC
|
||||
/rdap/autnum/(*) RdapAutnumAction GET,HEAD n API,LEGACY NONE PUBLIC
|
||||
/rdap/domain/(*) RdapDomainAction GET,HEAD n API,LEGACY NONE PUBLIC
|
||||
|
||||
Reference in New Issue
Block a user