TestTokenManagerImpl.java

/rpc-jira-plugin/src/test/java/com/atlassian/jira/rpc/auth/TestTokenManagerImpl.java

https://bitbucket.org/atlassianlabs/rpc-jira-plugin · Java · 323 lines · 265 code · 52 blank · 6 comment · 0 complexity · 3f4e3841241585dc7bc848abef636988 MD5 · raw file

package com.atlassian.jira.rpc.auth;

import com.atlassian.cache.memory.MemoryCacheManager;
import com.atlassian.crowd.embedded.api.User;
import com.atlassian.jira.bc.security.login.LoginReason;
import com.atlassian.jira.bc.security.login.LoginResult;
import com.atlassian.jira.bc.security.login.LoginResultImpl;
import com.atlassian.jira.bc.security.login.LoginService;
import com.atlassian.jira.rpc.exception.RemoteAuthenticationException;
import com.atlassian.jira.rpc.exception.RemoteException;
import com.atlassian.jira.rpc.exception.RemotePermissionException;
import com.atlassian.jira.rpc.mock.MockUser;
import com.atlassian.jira.security.JiraAuthenticationContext;
import com.atlassian.jira.security.PermissionManager;
import com.atlassian.jira.security.Permissions;
import com.atlassian.jira.user.util.UserManager;
import junit.framework.TestCase;
import org.easymock.EasyMock;

import static com.atlassian.jira.bc.security.login.LoginReason.OK;
import static org.easymock.EasyMock.expect;
import static org.easymock.EasyMock.replay;
import static org.easymock.EasyMock.verify;

public class TestTokenManagerImpl extends TestCase
{
    private PermissionManager permissionManager;
    private LoginService loginService;
    private JiraAuthenticationContext jiraAuthenticationContext;
    private UserManager userManager;
    private User bob;

    protected void setUp() throws Exception
    {
        permissionManager = EasyMock.createMock(PermissionManager.class);
        loginService = EasyMock.createMock(LoginService.class);
        jiraAuthenticationContext = EasyMock.createMock(JiraAuthenticationContext.class);
        userManager = EasyMock.createMock(UserManager.class);
        bob = new MockUser("bob");
    }

    @Override
    protected void tearDown() throws Exception
    {
        verify(permissionManager, loginService, userManager, jiraAuthenticationContext);
    }

    private TokenManagerImpl instantiateTokenManager()
    {
        replay(permissionManager, loginService, userManager, jiraAuthenticationContext);
        return new TokenManagerImpl(permissionManager, loginService, jiraAuthenticationContext, userManager, new MemoryCacheManager());
    }

    public void testLogin_FAIL() throws RemoteException
    {

        final LoginResult loginResultFAIL = new LoginResultImpl(LoginReason.AUTHENTICATED_FAILED, null, "bob");

        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        expect(userManager.getUserObject("bob")).andStubReturn(bob);
        expect(loginService.authenticate(bob, "badpass")).andStubReturn(loginResultFAIL);
        expect(permissionManager.hasPermission(Permissions.USE, bob)).andStubReturn(true);

        TokenManager tokenManager = instantiateTokenManager();

        // invalid login
        try
        {
            tokenManager.login("bob", "badpass");
            fail("Should have barfed.");
        }
        catch (RemoteAuthenticationException e)
        {
            assertTrue(e.getMessage().contains("Invalid username or password"));
        }
    }

    public void testLogin_FAIL_for_unknown_user() throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        expect(userManager.getUserObject("bob")).andStubReturn(null);

        TokenManager tokenManager = instantiateTokenManager();

        // invalid login
        try
        {
            tokenManager.login("bob", "badpass");
            fail("Should have barfed.");
        }
        catch (RemoteAuthenticationException e)
        {
            assertTrue(e.getMessage().contains("Invalid username or password"));
        }
    }

    public void testLogin_FAIL_for_ElevateSecurity()
            throws RemoteException
    {
        final LoginResult loginResultFAIL = new LoginResultImpl(LoginReason.AUTHENTICATION_DENIED, null, "bob");

        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        expect(userManager.getUserObject("bob")).andStubReturn(bob);
        expect(loginService.authenticate(bob, "badpass")).andStubReturn(loginResultFAIL);
        expect(permissionManager.hasPermission(Permissions.USE, bob)).andStubReturn(true);

        TokenManager tokenManager = instantiateTokenManager();

        // invalid login
        try
        {
            tokenManager.login("bob", "badpass");
            fail("Should have barfed.");
        }
        catch (RemoteAuthenticationException e)
        {
            assertTrue(e.getMessage().contains("The maximum number of failed login attempts has been reached. Please log into the application through the web interface to reset the number of failed login attempts."));
        }
    }

    public void testLogin_OK_inContext()
            throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(bob);

        TokenManager tokenManager = instantiateTokenManager();

        String token = tokenManager.login("bob", "badpass");
        assertEquals("trustedappstoken", token);
    }

    public void testLoginRetrieveLogout() throws RemoteException
    {

        final LoginResult loginResultOK = new LoginResultImpl(OK, null, "bob");

        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        expect(userManager.getUserObject("bob")).andStubReturn(bob);
        expect(loginService.authenticate(bob, "password")).andStubReturn(loginResultOK);
        expect(permissionManager.hasPermission(Permissions.USE, bob)).andStubReturn(true);

        TokenManager tokenManager = instantiateTokenManager();

        String token = tokenManager.login("bob", "password");

        assertEquals(bob, tokenManager.retrieveUser(token));

        assertTrue(tokenManager.logout(token));
        assertTrue(tokenManager.logout(null));
    }

    public void testRetrieveUser_UnknownToken() throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        TokenManager tokenManager = instantiateTokenManager();
        try
        {
            tokenManager.retrieveUser("badtoken");
            fail("Should have barfed.");
        }
        catch (RemoteAuthenticationException e)
        {
        }
    }

    public void testRetrieveUser_NullToken() throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        TokenManager tokenManager = instantiateTokenManager();
        try
        {
            tokenManager.retrieveUser(null);
            fail("Should have barfed.");
        }
        catch (RemoteAuthenticationException e)
        {
        }
    }

    public void testRetrieveUser_WithNoPermission() throws RemoteException
    {
        final LoginResult loginResult = new LoginResultImpl(OK, null, "bob");

        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        expect(userManager.getUserObject("bob")).andStubReturn(bob);
        expect(loginService.authenticate(bob, "password")).andStubReturn(loginResult);
        expect(permissionManager.hasPermission(Permissions.USE, bob)).andStubReturn(false);

        TokenManager tokenManager = instantiateTokenManager();
        try
        {
            String token = tokenManager.login("bob", "password");
            tokenManager.retrieveUser(token);
            fail("Should have barfed.");
        }
        catch (RemotePermissionException e)
        {
        }
    }

    public void testRetrieveUser_OK() throws RemoteException
    {
        final LoginResult loginResult = new LoginResultImpl(OK, null, "bob");

        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        expect(userManager.getUserObject("bob")).andStubReturn(bob);
        expect(loginService.authenticate(bob, "password")).andStubReturn(loginResult);
        expect(permissionManager.hasPermission(Permissions.USE, bob)).andStubReturn(true);

        TokenManager tokenManager = instantiateTokenManager();
        String token = tokenManager.login("bob", "password");
        User actual = tokenManager.retrieveUser(token);
        assertEquals(bob.getName(), actual.getName());
    }

    public void testRetrieveUser_FAIL_noPermission_fromAuthContext()
            throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(bob);
        expect(permissionManager.hasPermission(Permissions.USE, bob)).andStubReturn(false);

        TokenManager tokenManager = instantiateTokenManager();
        String token = tokenManager.login("bob", "password");
        try
        {
            tokenManager.retrieveUser(token);
            fail("Should have barfed");
        }
        catch (RemotePermissionException ignored)
        {
        }
    }

    public void testRetrieveUser_OK_butfromAuthContext()
            throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(bob);
        expect(permissionManager.hasPermission(Permissions.USE, bob)).andStubReturn(true);

        TokenManager tokenManager = instantiateTokenManager();
        String token = tokenManager.login("bob", "password");
        User actual = tokenManager.retrieveUser(token);
        assertEquals(bob.getName(), actual.getName());
    }

    public void testRetrieveUserNoPermissions_NullToken()
            throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);

        TokenManager tokenManager = instantiateTokenManager();
        assertNull(tokenManager.retrieveUserNoPermissionCheck(null));
    }

    public void testRetrieveUserNoPermissions_BadToken()
            throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);

        TokenManager tokenManager = instantiateTokenManager();
        try
        {
            tokenManager.retrieveUserNoPermissionCheck("badtoken");
            fail("Should have barfed");
        }
        catch (RemoteAuthenticationException e)
        {
        }
    }

    public void testRetrieveUserNoPermissions_OK() throws RemoteException
    {
        final LoginResult loginResult = new LoginResultImpl(OK, null, "bob");

        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        expect(userManager.getUserObject("bob")).andStubReturn(bob);
        expect(loginService.authenticate(bob, "password")).andStubReturn(loginResult);
        expect(permissionManager.hasPermission(Permissions.USE, bob)).andStubReturn(false);

        TokenManager tokenManager = instantiateTokenManager();
        String token = tokenManager.login("bob", "password");
        final User actualUser = tokenManager.retrieveUserNoPermissionCheck(token);
        assertEquals(bob.getName(), actualUser.getName());
    }

    public void testRetrieveUserNoPermissions_OK_FromAuthContext() throws RemoteException
    {
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(bob);

        TokenManager tokenManager = instantiateTokenManager();
        String token = tokenManager.login("bob", "password");
        final User actualUser = tokenManager.retrieveUserNoPermissionCheck(token);
        assertEquals(bob.getName(), actualUser.getName());
    }

    public void testThatClearCacheEventClearsUserTokenMap() throws Exception
    {
        // Set up
        final String username = "bob";
        final String password = "password";
        final LoginResult loginResult = new LoginResultImpl(OK, null, username);
        expect(jiraAuthenticationContext.getLoggedInUser()).andStubReturn(null);
        expect(userManager.getUserObject(username)).andStubReturn(bob);
        expect(loginService.authenticate(bob, password)).andStubReturn(loginResult);
        final TokenManagerImpl tokenManager = instantiateTokenManager();
        final String token = tokenManager.login(username, password);
        assertNotNull(tokenManager.retrieveUserNoPermissionCheck(token));

        // Invoke
        tokenManager.onClearCache(null);

        // Check
        try
        {
            tokenManager.retrieveUserNoPermissionCheck(token);
            fail("Expected a " + RemoteAuthenticationException.class);
        }
        catch (final RemoteAuthenticationException e)
        {
            assertEquals(TokenManagerImpl.UNKNOWN_USER_MESSAGE, e.getMessage());
        }
    }
}
Tech Fingerprint

EasyMock
Alerts (7)

'catch' Correctness Info: Empty catch block detected. Swallowing exceptions without logging or handling can hide errors and make debugging difficult.
161 175 196 229 266
'throws Exception' Declaring 'throws Exception' is too broad. Declare specific checked exceptions that the method might throw, allowing callers to handle them appropriately.
296
'String password' Security Critical: Storing passwords or sensitive secrets directly in String objects is insecure. Strings are immutable and pooled, making them hard to clear from memory reliably. Use `char[]` instead and explicitly clear it after use.
300