UserAuthenticationMgmtTest.java

/**
* OLAT - Online Learning and Training<br>
* http://www.olat.org
* <p>
* Licensed under the Apache License, Version 2.0 (the "License"); <br>
* you may not use this file except in compliance with the License.<br>
* You may obtain a copy of the License at
* <p>
* http://www.apache.org/licenses/LICENSE-2.0
* <p>
* Unless required by applicable law or agreed to in writing,<br>
* software distributed under the License is distributed on an "AS IS" BASIS, <br>
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
* See the License for the specific language governing permissions and <br>
* limitations under the License.
* <p>
* Copyright (c) since 2004 at Multimedia- & E-Learning Services (MELS),<br>
* University of Zurich, Switzerland.
* <hr>
* <a href="http://www.openolat.org">
* OpenOLAT - Online Learning and Training</a><br>
* This file has been modified by the OpenOLAT community. Changes are licensed
* under the Apache 2.0 license as the original file.  
* <p>
*/

package org.olat.restapi;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;

import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
import java.util.UUID;

import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.UriBuilder;

import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.type.TypeReference;
import org.junit.Assert;
import org.junit.Test;
import org.olat.basesecurity.Authentication;
import org.olat.basesecurity.BaseSecurity;
import org.olat.core.commons.persistence.DB;
import org.olat.core.commons.persistence.DBFactory;
import org.olat.core.id.Identity;
import org.olat.core.logging.OLog;
import org.olat.core.logging.Tracing;
import org.olat.core.util.Encoder;
import org.olat.login.auth.OLATAuthManager;
import org.olat.restapi.support.vo.AuthenticationVO;
import org.olat.restapi.support.vo.ErrorVO;
import org.olat.test.JunitTestHelper;
import org.olat.test.OlatJerseyTestCase;
import org.springframework.beans.factory.annotation.Autowired;

/**
 * 
 * Description:<br>
 * Test the authentication management per user
 * 
 * <P>
 * Initial Date:  15 apr. 2010 <br>
 * @author srosse, stephane.rosse@frentix.com
 */
public class UserAuthenticationMgmtTest extends OlatJerseyTestCase {
	
	private static final OLog log = Tracing.createLoggerFor(UserAuthenticationMgmtTest.class);
	
	@Autowired
	private DB dbInstance;
	@Autowired
	private BaseSecurity securityManager;
	@Autowired
	private OLATAuthManager authManager;
	
	
	@Test
	public void getAuthentications() throws IOException, URISyntaxException {
		RestConnection conn = new RestConnection();
		assertTrue(conn.login("administrator", "openolat"));
		
		URI request = UriBuilder.fromUri(getContextURI()).path("/users/administrator/auth").build();
		HttpGet method = conn.createGet(request, MediaType.APPLICATION_JSON, true);
		HttpResponse response = conn.execute(method);
		assertEquals(200, response.getStatusLine().getStatusCode());
		InputStream body = response.getEntity().getContent();
		List<AuthenticationVO> vos = parseAuthenticationArray(body);
		assertNotNull(vos);
		assertFalse(vos.isEmpty());

		conn.shutdown();
	}
	
	@Test
	public void createAuthentications() throws IOException, URISyntaxException {
		RestConnection conn = new RestConnection();
		Identity adminIdent = securityManager.findIdentityByName("administrator");
		try {
			Authentication refAuth = securityManager.findAuthentication(adminIdent, "REST-API");
			if(refAuth != null) {
				securityManager.deleteAuthentication(refAuth);
			}
		} catch(Exception e) {
			//
		}
		DBFactory.getInstance().commitAndCloseSession();
		
		assertTrue(conn.login("administrator", "openolat"));

		AuthenticationVO vo = new AuthenticationVO();
		vo.setAuthUsername("administrator");
		vo.setIdentityKey(adminIdent.getKey());
		vo.setProvider("REST-API");
		vo.setCredential("credentials");
		
		URI request = UriBuilder.fromUri(getContextURI()).path("/users/administrator/auth").build();
		HttpPut method = conn.createPut(request, MediaType.APPLICATION_JSON, true);
		conn.addJsonEntity(method, vo);

		HttpResponse response = conn.execute(method);
		assertTrue(response.getStatusLine().getStatusCode() == 200 || response.getStatusLine().getStatusCode() == 201);
		AuthenticationVO savedAuth = conn.parse(response, AuthenticationVO.class);
		Authentication refAuth = securityManager.findAuthentication(adminIdent, "REST-API");

		assertNotNull(refAuth);
		assertNotNull(refAuth.getKey());
		assertTrue(refAuth.getKey().longValue() > 0);
		assertNotNull(savedAuth);
		assertNotNull(savedAuth.getKey());
		assertTrue(savedAuth.getKey().longValue() > 0);
		assertEquals(refAuth.getKey(), savedAuth.getKey());
		assertEquals(refAuth.getAuthusername(), savedAuth.getAuthUsername());
		assertEquals(refAuth.getIdentity().getKey(), savedAuth.getIdentityKey());
		assertEquals(refAuth.getProvider(), savedAuth.getProvider());
		assertEquals(refAuth.getCredential(), savedAuth.getCredential());
		
		conn.shutdown();
	}
	
	/**
	 * Check if the REST call return a specific error if the pair authentication user name and provider
	 * is already used.
	 * 
	 */
	@Test
	public void createAuthentications_checkDuplicate() throws IOException, URISyntaxException {
		Identity id1 = JunitTestHelper.createAndPersistIdentityAsRndUser("check-auth-1");
		Identity id2 = JunitTestHelper.createAndPersistIdentityAsRndUser("check-auth-2");
		String authUsername = UUID.randomUUID().toString();
		dbInstance.commitAndCloseSession();
		
		RestConnection conn = new RestConnection();
		Assert.assertTrue(conn.login("administrator", "openolat"));

		//set the first authentication
		AuthenticationVO vo1 = new AuthenticationVO();
		vo1.setAuthUsername(authUsername);
		vo1.setIdentityKey(id1.getKey());
		vo1.setProvider("REST-API");
		vo1.setCredential("credentials");
		URI request1 = UriBuilder.fromUri(getContextURI()).path("/users/" + id1.getName() + "/auth").build();
		HttpPut method1 = conn.createPut(request1, MediaType.APPLICATION_JSON, true);
		conn.addJsonEntity(method1, vo1);

		HttpResponse response1 = conn.execute(method1);
		Assert.assertEquals(200, response1.getStatusLine().getStatusCode());
		conn.parse(response1, AuthenticationVO.class);
		Authentication refAuth1 = securityManager.findAuthentication(id1, "REST-API");
		Assert.assertNotNull(refAuth1);
		Assert.assertEquals(id1, refAuth1.getIdentity());

		// set the second which duplicates the first
		AuthenticationVO vo2 = new AuthenticationVO();
		vo2.setAuthUsername(authUsername);
		vo2.setIdentityKey(id2.getKey());
		vo2.setProvider("REST-API");
		vo2.setCredential("credentials");
		URI request2 = UriBuilder.fromUri(getContextURI()).path("/users/" + id2.getName() + "/auth").build();
		HttpPut method2 = conn.createPut(request2, MediaType.APPLICATION_JSON, true);
		conn.addJsonEntity(method2, vo2);

		HttpResponse response2 = conn.execute(method2);
		Assert.assertEquals(409, response2.getStatusLine().getStatusCode());
		ErrorVO error = conn.parse(response2, ErrorVO.class);
		Assert.assertNotNull(error);

		conn.shutdown();
	}
	
	@Test
	public void deleteAuthentications() throws IOException, URISyntaxException {
		RestConnection conn = new RestConnection();
		assertTrue(conn.login("administrator", "openolat"));
		
		//create an authentication token
		Identity adminIdent = securityManager.findIdentityByName("administrator");
		Authentication authentication = securityManager.createAndPersistAuthentication(adminIdent, "REST-A-2", "administrator", "credentials", Encoder.Algorithm.sha512);
		assertTrue(authentication != null && authentication.getKey() != null && authentication.getKey().longValue() > 0);
		DBFactory.getInstance().intermediateCommit();
		
		//delete an authentication token
		URI request = UriBuilder.fromUri(getContextURI()).path("/users/administrator/auth/" + authentication.getKey()).build();
		HttpDelete method = conn.createDelete(request, MediaType.APPLICATION_XML);
		HttpResponse response = conn.execute(method);
		assertEquals(200, response.getStatusLine().getStatusCode());
		EntityUtils.consume(response.getEntity());
		
		Authentication refAuth = securityManager.findAuthentication(adminIdent, "REST-A-2");
		assertNull(refAuth);
		
		conn.shutdown();
	}
	
	@Test
	public void changePassword() throws IOException, URISyntaxException {
		Identity user = JunitTestHelper.createAndPersistIdentityAsRndUser("rest-chg-pwd");
		dbInstance.commitAndCloseSession();
		
		RestConnection conn = new RestConnection();
		assertTrue(conn.login("administrator", "openolat"));

		URI request = UriBuilder.fromUri(getContextURI())
				.path("users").path(user.getName()).path("auth").path("password")
				.build();
		HttpPost method = conn.createPost(request, "*/*");
		conn.addEntity(method, new BasicNameValuePair("newPassword", "top-secret"));
		HttpResponse response = conn.execute(method);
		Assert.assertNotNull(response);
		Assert.assertEquals(200, response.getStatusLine().getStatusCode());
		EntityUtils.consume(response.getEntity());
		
		//check
		Identity reloadedUser = authManager.authenticate(user, user.getName(), "top-secret");
		Assert.assertNotNull(reloadedUser);
		Assert.assertEquals(user, reloadedUser);
	}
	
	private List<AuthenticationVO> parseAuthenticationArray(InputStream body) {
		try {
			ObjectMapper mapper = new ObjectMapper(jsonFactory); 
			return mapper.readValue(body, new TypeReference<List<AuthenticationVO>>(){/* */});
		} catch (Exception e) {
			log.error("Cannot parse an array of AuthenticationVO", e);
			return null;
		}
	}
}