-
Notifications
You must be signed in to change notification settings - Fork 43
Expand file tree
/
Copy pathDSOidcUserServiceRegistrationGuardTest.java
More file actions
128 lines (104 loc) · 5.01 KB
/
DSOidcUserServiceRegistrationGuardTest.java
File metadata and controls
128 lines (104 loc) · 5.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
package com.digitalsanctuary.spring.user.service;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.lenient;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import com.digitalsanctuary.spring.user.fixtures.OidcUserTestDataBuilder;
import com.digitalsanctuary.spring.user.persistence.model.Role;
import com.digitalsanctuary.spring.user.persistence.model.User;
import com.digitalsanctuary.spring.user.persistence.repository.RoleRepository;
import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
import com.digitalsanctuary.spring.user.registration.RegistrationContext;
import com.digitalsanctuary.spring.user.registration.RegistrationDecision;
import com.digitalsanctuary.spring.user.registration.RegistrationGuard;
@ExtendWith(MockitoExtension.class)
@DisplayName("DSOidcUserService RegistrationGuard Tests")
class DSOidcUserServiceRegistrationGuardTest {
@Mock
private UserRepository userRepository;
@Mock
private RoleRepository roleRepository;
@Mock
private LoginHelperService loginHelperService;
@Mock
private RegistrationGuard registrationGuard;
@Mock
private ApplicationEventPublisher eventPublisher;
@InjectMocks
private DSOidcUserService service;
private Role userRole;
@BeforeEach
void setUp() {
userRole = new Role();
userRole.setName("ROLE_USER");
userRole.setId(1L);
lenient().when(roleRepository.findByName("ROLE_USER")).thenReturn(userRole);
}
@Test
@DisplayName("Should reject new OIDC user when guard denies")
void shouldRejectNewOidcUserWhenGuardDenies() {
OidcUser keycloakUser = OidcUserTestDataBuilder.keycloak()
.withEmail("new@company.com")
.withGivenName("New")
.withFamilyName("User")
.build();
when(userRepository.findByEmail("new@company.com")).thenReturn(null);
when(registrationGuard.evaluate(any(RegistrationContext.class)))
.thenReturn(RegistrationDecision.deny("Organization not whitelisted"));
assertThatThrownBy(() -> service.handleOidcLoginSuccess("keycloak", keycloakUser))
.isInstanceOf(OAuth2AuthenticationException.class)
.hasMessageContaining("Organization not whitelisted")
.satisfies(ex -> {
OAuth2AuthenticationException oauthEx = (OAuth2AuthenticationException) ex;
assertThat(oauthEx.getError().getErrorCode()).isEqualTo("registration_denied");
});
}
@Test
@DisplayName("Should allow new OIDC user when guard allows")
void shouldAllowNewOidcUserWhenGuardAllows() {
OidcUser keycloakUser = OidcUserTestDataBuilder.keycloak()
.withEmail("allowed@company.com")
.withGivenName("Allowed")
.withFamilyName("User")
.build();
when(userRepository.findByEmail("allowed@company.com")).thenReturn(null);
when(registrationGuard.evaluate(any(RegistrationContext.class)))
.thenReturn(RegistrationDecision.allow());
when(userRepository.save(any(User.class))).thenAnswer(invocation -> invocation.getArgument(0));
User result = service.handleOidcLoginSuccess("keycloak", keycloakUser);
assertThat(result).isNotNull();
assertThat(result.getEmail()).isEqualTo("allowed@company.com");
verify(userRepository).save(any(User.class));
}
@Test
@DisplayName("Should not call guard for existing OIDC user")
void shouldNotCallGuardForExistingOidcUser() {
OidcUser keycloakUser = OidcUserTestDataBuilder.keycloak()
.withEmail("existing@company.com")
.withGivenName("Existing")
.withFamilyName("User")
.build();
User existingUser = new User();
existingUser.setId(100L);
existingUser.setEmail("existing@company.com");
existingUser.setProvider(User.Provider.KEYCLOAK);
when(userRepository.findByEmail("existing@company.com")).thenReturn(existingUser);
when(userRepository.save(any(User.class))).thenAnswer(invocation -> invocation.getArgument(0));
User result = service.handleOidcLoginSuccess("keycloak", keycloakUser);
assertThat(result).isNotNull();
verifyNoInteractions(registrationGuard);
}
}