From 3c4bf1e690d0a02ba31857b16791c5d92c9ad3e5 Mon Sep 17 00:00:00 2001
From: nickfelt <nickfelt@google.com>
Date: Fri, 10 Feb 2017 10:23:21 -0800
Subject: [PATCH] Add request/auth tests to Nomulus release

Followup to []

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=147169636
---
 javatests/google/registry/request/auth/BUILD  |  33 ++++
 .../auth/RequestAuthenticatorTest.java        | 187 ++++++++++++++++++
 2 files changed, 220 insertions(+)
 create mode 100644 javatests/google/registry/request/auth/BUILD
 create mode 100644 javatests/google/registry/request/auth/RequestAuthenticatorTest.java

diff --git a/javatests/google/registry/request/auth/BUILD b/javatests/google/registry/request/auth/BUILD
new file mode 100644
index 000000000..3fc08be07
--- /dev/null
+++ b/javatests/google/registry/request/auth/BUILD
@@ -0,0 +1,33 @@
+package(
+    default_testonly = 1,
+    default_visibility = ["//java/google/registry:registry_project"],
+)
+
+licenses(["notice"])  # Apache 2.0
+
+load("//java/com/google/testing/builddefs:GenTestRules.bzl", "GenTestRules")
+
+java_library(
+    name = "auth",
+    srcs = glob(["*.java"]),
+    resources = glob(["testdata/*"]),
+    deps = [
+        "//java/google/registry/request",
+        "//java/google/registry/request/auth",
+        "//javatests/google/registry/testing",
+        "//third_party/java/objectify:objectify-v4_1",
+        "@com_google_appengine_api_1_0_sdk//:testonly",
+        "@com_google_appengine_tools_appengine_gcs_client",
+        "@com_google_code_findbugs_jsr305",
+        "@com_google_guava",
+        "@com_google_truth",
+        "@junit",
+        "@org_mockito_all",
+    ],
+)
+
+GenTestRules(
+    name = "GeneratedTestRules",
+    test_files = glob(["*Test.java"]),
+    deps = [":auth"],
+)
diff --git a/javatests/google/registry/request/auth/RequestAuthenticatorTest.java b/javatests/google/registry/request/auth/RequestAuthenticatorTest.java
new file mode 100644
index 000000000..4ccdca2b4
--- /dev/null
+++ b/javatests/google/registry/request/auth/RequestAuthenticatorTest.java
@@ -0,0 +1,187 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.request.auth;
+
+import static com.google.common.truth.Truth.assertThat;
+import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.when;
+
+import com.google.appengine.api.oauth.OAuthServiceFactory;
+import com.google.appengine.api.users.User;
+import com.google.appengine.api.users.UserService;
+import com.google.common.base.Optional;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
+import google.registry.request.Action;
+import google.registry.testing.FakeUserService;
+import javax.servlet.http.HttpServletRequest;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+
+/** Unit tests for {@link RequestAuthenticator}. */
+@RunWith(MockitoJUnitRunner.class)
+public class RequestAuthenticatorTest {
+
+  private FakeUserService fakeUserService;
+
+  @Mock
+  private UserService mockUserService;
+
+  @Mock
+  private HttpServletRequest req;
+
+  @Action(
+      path = "/auth/none",
+      auth = @Auth(
+          methods = {Auth.AuthMethod.INTERNAL},
+          minimumLevel = AuthLevel.NONE,
+          userPolicy = Auth.UserPolicy.IGNORED),
+      method = Action.Method.GET)
+  public static class AuthNone {}
+
+  @Action(
+      path = "/auth/internalOnly",
+      auth = @Auth(minimumLevel = AuthLevel.APP),
+      method = Action.Method.GET)
+  public static class AuthInternalOnly {}
+
+  @Action(
+      path = "/auth/anyUserAnyMethod",
+      auth = @Auth(
+          methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
+          minimumLevel = AuthLevel.USER,
+          userPolicy = Auth.UserPolicy.PUBLIC),
+      method = Action.Method.GET)
+  public static class AuthAnyUserAnyMethod {}
+
+  @Action(
+      path = "/auth/adminUserAnyMethod",
+      auth = @Auth(
+          methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
+          minimumLevel = AuthLevel.USER,
+          userPolicy = Auth.UserPolicy.ADMIN),
+      method = Action.Method.GET)
+  public static class AuthAdminUserAnyMethod {
+  }
+
+  private final User testUser = new User("test@example.com", "test@example.com");
+
+  @Before
+  public void before() throws Exception {
+    fakeUserService = new FakeUserService();
+  }
+
+  private static RequestAuthenticator createRequestAuthenticator(UserService userService) {
+    return new RequestAuthenticator(
+        new AppEngineInternalAuthenticationMechanism(),
+        ImmutableList.<AuthenticationMechanism>of(
+            new OAuthAuthenticationMechanism(
+                OAuthServiceFactory.getOAuthService(),
+                ImmutableSet.of("https://www.googleapis.com/auth/userinfo.email"),
+                ImmutableSet.of("https://www.googleapis.com/auth/userinfo.email"),
+                ImmutableSet.of("proxy-client-id", "regtool-client-id"))),
+        new LegacyAuthenticationMechanism(userService));
+  }
+
+  private Optional<AuthResult> runTest(UserService userService, Class<?> clazz) {
+    return createRequestAuthenticator(userService)
+        .authorize(clazz.getAnnotation(Action.class).auth(), req);
+  }
+
+  @Test
+  public void testNoAuthNeeded_noneFound() throws Exception {
+    Optional<AuthResult> authResult = runTest(mockUserService, AuthNone.class);
+    verifyZeroInteractions(mockUserService);
+    assertThat(authResult).isPresent();
+    assertThat(authResult.get()).isNotNull();
+    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.NONE);
+  }
+
+  @Test
+  public void testNoAuthNeeded_internalFound() throws Exception {
+    when(req.getHeader("X-AppEngine-QueueName")).thenReturn("__cron");
+    Optional<AuthResult> authResult = runTest(mockUserService, AuthNone.class);
+    verifyZeroInteractions(mockUserService);
+    assertThat(authResult).isPresent();
+    assertThat(authResult.get()).isNotNull();
+    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.APP);
+    assertThat(authResult.get().userAuthInfo()).isAbsent();
+  }
+
+  @Test
+  public void testInternalAuth_notInvokedInternally() throws Exception {
+    Optional<AuthResult> authResult = runTest(mockUserService, AuthInternalOnly.class);
+    verifyZeroInteractions(mockUserService);
+    assertThat(authResult).isAbsent();
+  }
+
+  @Test
+  public void testInternalAuth_success() throws Exception {
+    when(req.getHeader("X-AppEngine-QueueName")).thenReturn("__cron");
+    Optional<AuthResult> authResult = runTest(mockUserService, AuthInternalOnly.class);
+    verifyZeroInteractions(mockUserService);
+    assertThat(authResult).isPresent();
+    assertThat(authResult.get()).isNotNull();
+    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.APP);
+    assertThat(authResult.get().userAuthInfo()).isAbsent();
+  }
+
+  @Test
+  public void testAnyUserAnyMethod_notLoggedIn() throws Exception {
+    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
+    assertThat(authResult).isAbsent();
+  }
+
+  @Test
+  public void testAnyUserAnyMethod_success() throws Exception {
+    fakeUserService.setUser(testUser, false);
+    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
+    assertThat(authResult).isPresent();
+    assertThat(authResult.get()).isNotNull();
+    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
+    assertThat(authResult.get().userAuthInfo()).isPresent();
+    assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
+    assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isAbsent();
+  }
+
+  @Test
+  public void testAdminUserAnyMethod_notLoggedIn() throws Exception {
+    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
+    assertThat(authResult).isAbsent();
+  }
+
+  @Test
+  public void testAdminUserAnyMethod_notAdminUser() throws Exception {
+    fakeUserService.setUser(testUser, false);
+    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
+    assertThat(authResult).isAbsent();
+  }
+
+  @Test
+  public void testAdminUserAnyMethod_success() throws Exception {
+    fakeUserService.setUser(testUser, true);
+    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
+    assertThat(authResult).isPresent();
+    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
+    assertThat(authResult.get().userAuthInfo()).isPresent();
+    assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
+    assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isAbsent();
+  }
+
+  // TODO(mountford) Add more tests for OAuth, misconfiguration, etc., either here or separately
+}