AccountAdminImplTest.java

/org.amdatu.security.account/test/org/amdatu/security/account/admin/AccountAdminImplTest.java

https://bitbucket.org/amdatu/amdatu-security · Java · 680 lines · 478 code · 182 blank · 20 comment · 5 complexity · 5aaf144975d7df84adf4826657f9a3f3 MD5 · raw file

/*
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.amdatu.security.account.admin;

import static org.amdatu.security.account.admin.AccountAdminConfig.KEY_ACCOUNT_REMOVAL_ALLOWED;
import static org.amdatu.security.account.admin.AccountAdminConfig.KEY_ACCOUNT_VERIFICATION_NEEDED;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyMap;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.atLeast;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.reset;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;

import java.util.Dictionary;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import java.util.Optional;

import org.amdatu.security.account.Account;
import org.amdatu.security.account.Account.State;
import org.amdatu.security.account.AccountAdminBackend;
import org.amdatu.security.account.AccountCredentialResetException;
import org.amdatu.security.account.AccountException;
import org.amdatu.security.account.AccountLockedException;
import org.amdatu.security.account.AccountValidationException;
import org.amdatu.security.account.AccountValidator;
import org.amdatu.security.account.NoSuchAccountException;
import org.amdatu.security.account.TestPasswordHasher;
import org.amdatu.security.account.UnverifiedAccountException;
import org.amdatu.security.password.hash.PasswordHasher;
import org.amdatu.security.tokenprovider.InvalidTokenException;
import org.amdatu.security.tokenprovider.InvalidTokenException.Reason;
import org.amdatu.security.tokenprovider.TokenProvider;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.Spy;
import org.mockito.junit.MockitoJUnitRunner;
import org.osgi.service.event.EventAdmin;
import org.osgi.service.log.LogService;

/**
 * Test cases for {@link AccountAdminImpl}.
 */
@RunWith(MockitoJUnitRunner.class)
public class AccountAdminImplTest {
    private static final String SECRET_PLAIN = "secret";
    private static final String SECRET_SHA256 = "$5$K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=";

    private static final String PASSWORD_PLAIN = "password";
    private static final String PASSWORD_SHA256 = "$5$XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=";

    private static final String EXISTING_ACCOUNT_ID = "existing_user@amdatu.org";
    private static final String NEW_ACCOUNT_ID = "new_user@amdatu.org";
    private static final String LOCKED_ACCOUNT_ID = "bad_user@amdatu.org";
    private static final String NON_EXISTING_ACCOUNT_ID = "does_not_exist@amdatu.org";

    private PasswordHasher m_pwdHasher = new TestPasswordHasher();
    @Spy
    private AccountAdminBackend m_backend = new MockAccountAdminBackend();
    @Mock
    private AccountValidator m_accountValidator;
    @Mock
    private EventAdmin m_eventAdmin;
    @Mock
    private LogService m_logService;
    @Mock
    private TokenProvider m_tokenProvider;
    @InjectMocks
    private AccountAdminImpl m_accountAdmin = new AccountAdminImpl(m_backend, m_pwdHasher);

    @Rule
    public final ExpectedException m_rule = ExpectedException.none();

    private static Dictionary<String, Object> asDictionary(String... entries) {
        Dictionary<String, Object> result = new Hashtable<>();
        for (int i = 0; i < entries.length; i += 2) {
            result.put(entries[i], entries[i + 1]);
        }
        return result;
    }

    private static Map<String, String> asMap(String... entries) {
        Map<String, String> result = new HashMap<>();
        for (int i = 0; i < entries.length; i += 2) {
            result.put(entries[i], entries[i + 1]);
        }
        return result;
    }

    private static Map<String, String> createCredentials(String email, String password) {
        return asMap("email", email, "password", password);
    }

    @Before
    @SuppressWarnings("unchecked")
    public void setUp() throws Exception {
        when(m_tokenProvider.generateToken(anyMap())).thenAnswer(mock -> {
            String sub = ((Map<String, String>) mock.getArguments()[0]).get("sub");
            return sub;
        });
        when(m_tokenProvider.verifyToken(anyString())).thenAnswer(mock -> {
            String token = mock.getArguments()[0].toString();
            if (EXISTING_ACCOUNT_ID.equals(token) || NEW_ACCOUNT_ID.equals(token) || LOCKED_ACCOUNT_ID.equals(token)) {
                return asMap("sub", token);
            }
            throw new InvalidTokenException(Reason.UNKNOWN, "invalid token!", null);
        });

        // Inject a couple of accounts with specific properties...
        Map<String, String> creds = createCredentials(EXISTING_ACCOUNT_ID, m_pwdHasher.hash(SECRET_PLAIN));
        m_backend.update(new Account(EXISTING_ACCOUNT_ID, creds, State.NORMAL, null, false /* locked */));

        creds = createCredentials(LOCKED_ACCOUNT_ID, m_pwdHasher.hash("bad"));
        m_backend.update(new Account(LOCKED_ACCOUNT_ID, creds, State.NORMAL, null, true /* locked */));

        when(m_backend.accountExists(EXISTING_ACCOUNT_ID)).thenReturn(Boolean.TRUE);

        m_accountAdmin.updated(null); // ensure we've got a default configuration...

        reset(m_backend); // make sure we've got a clear state...
    }

    @Test
    public void testAccountExists() throws Exception {
        assertTrue(m_accountAdmin.accountExists(EXISTING_ACCOUNT_ID));
        assertFalse(m_accountAdmin.accountExists(NON_EXISTING_ACCOUNT_ID));
        assertFalse(m_accountAdmin.accountExists(null));
    }

    @Test
    public void testCreateAccount() throws Exception {
        Account account = m_accountAdmin.createAccount(createCredentials(NEW_ACCOUNT_ID, SECRET_PLAIN));
        assertNotNull(account);

        assertEquals(NEW_ACCOUNT_ID, account.getId());
        assertEquals(NEW_ACCOUNT_ID, account.getCredentials().get("email"));
        assertEquals(SECRET_SHA256, account.getCredentials().get("password"));
        assertEquals(State.ACCOUNT_VERIFICATION_NEEDED, account.getState());
        assertEquals(Optional.of(NEW_ACCOUNT_ID), account.getAccessToken());
    }

    @Test
    public void testCreateAccount_AccountExists() throws Exception {
        m_rule.expect(AccountException.class);

        assertNull(m_accountAdmin.createAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)));
    }

    @Test
    public void testCreateAccount_AccountValidationFails() throws Exception {
        doThrow(new AccountValidationException()).when(m_accountValidator).validate(any());

        m_rule.expect(AccountValidationException.class);

        assertNull(m_accountAdmin.createAccount(createCredentials(NEW_ACCOUNT_ID, PASSWORD_PLAIN)));
    }

    @Test
    public void testCreateAccount_EmptyCredentials() throws Exception {
        m_rule.expect(AccountException.class);

        assertNull(m_accountAdmin.createAccount(asMap()));
    }

    @Test
    public void testCreateAccount_MissingAccountId() throws Exception {
        m_rule.expect(AccountException.class);

        assertNull(m_accountAdmin.createAccount(asMap("password", "secret")));
    }

    @Test
    public void testCreateAccount_MissingPassword() throws Exception {
        m_rule.expect(AccountException.class);

        assertNull(m_accountAdmin.createAccount(asMap("email", EXISTING_ACCOUNT_ID)));
    }

    @Test
    public void testCreateAccount_NoVerificationNeeded() throws Exception {
        m_accountAdmin.updated(asDictionary(KEY_ACCOUNT_VERIFICATION_NEEDED, "false"));

        Account account = m_accountAdmin.createAccount(createCredentials(NEW_ACCOUNT_ID, PASSWORD_PLAIN));
        assertNotNull(account);

        assertEquals(NEW_ACCOUNT_ID, account.getId());
        assertEquals(NEW_ACCOUNT_ID, account.getCredentials().get("email"));
        assertEquals(PASSWORD_SHA256, account.getCredentials().get("password"));
        assertEquals(State.NORMAL, account.getState());
        assertEquals(Optional.of(NEW_ACCOUNT_ID), account.getAccessToken());
    }

    @Test
    public void testGetAccount() throws Exception {
        Optional<Account> account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN));
        assertNotNull(account);

        assertTrue(account.isPresent());
    }

    @Test
    public void testGetAccount_ForcedCredentialsReset() throws Exception {
        m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, true /* force */);

        m_rule.expect(AccountCredentialResetException.class);

        assertNull(m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)));
    }

    @Test
    public void testGetAccount_IncorrectCredentials() throws Exception {
        Optional<Account> account;

        // Wrong password...
        account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, "incorrect"));
        assertNotNull(account);

        assertFalse(account.isPresent());

        // Wrong email address...
        account = m_accountAdmin.getAccount(createCredentials(NON_EXISTING_ACCOUNT_ID, SECRET_PLAIN));
        assertNotNull(account);

        assertFalse(account.isPresent());
    }

    @Test
    public void testGetAccount_LockedAccount() throws Exception {
        m_rule.expect(AccountLockedException.class);

        assertNull(m_accountAdmin.getAccount(createCredentials(LOCKED_ACCOUNT_ID, "bad")));
    }

    @Test
    public void testGetAccount_NonExistingAccount() throws Exception {
        Optional<Account> account = m_accountAdmin.getAccount(createCredentials(NON_EXISTING_ACCOUNT_ID, SECRET_PLAIN));
        assertNotNull(account);

        assertFalse(account.isPresent());
    }

    @Test
    public void testGetAccount_UnverifiedAccount() throws Exception {
        m_accountAdmin.createAccount(createCredentials(NEW_ACCOUNT_ID, SECRET_PLAIN));

        m_rule.expect(UnverifiedAccountException.class);

        assertNull(m_accountAdmin.getAccount(createCredentials(NEW_ACCOUNT_ID, SECRET_PLAIN)));
    }

    @Test
    public void testGetAccount_WithAccessToken() throws Exception {
        Account account = m_accountAdmin.createAccount(createCredentials(NEW_ACCOUNT_ID, PASSWORD_PLAIN));
        assertNotNull(account);

        String token = account.getAccessToken().get(); // cannot fail!

        account = m_accountAdmin.getAccountByAccessToken(token);

        assertNotNull(account);
    }

    @Test
    public void testGetAccount_WithAccessTokenForAccountWithoutToken() throws Exception {
        m_rule.expect(NoSuchAccountException.class);

        assertNull(m_accountAdmin.getAccountByAccessToken(EXISTING_ACCOUNT_ID));
    }

    @Test
    public void testGetAccount_WithAccessTokenForLockedAccount() throws Exception {
        m_rule.expect(AccountLockedException.class);

        assertNull(m_accountAdmin.getAccountByAccessToken(LOCKED_ACCOUNT_ID));
    }

    @Test
    public void testGetAccount_WithInvalidAccessToken() throws Exception {
        m_rule.expect(NoSuchAccountException.class);

        assertNull(m_accountAdmin.getAccountByAccessToken("someToken"));
    }

    @Test
    public void testGetAccount_WithPartialMissingCredentials() throws Exception {
        Map<String, String> creds;

        creds = asMap("email", EXISTING_ACCOUNT_ID, "foo", "bar");

        assertFalse(m_accountAdmin.getAccount(creds).isPresent());

        creds = asMap("password", "bar", "foo", "bar");

        assertFalse(m_accountAdmin.getAccount(creds).isPresent());

        creds = asMap("foo", "bar");

        assertFalse(m_accountAdmin.getAccount(creds).isPresent());

        creds = asMap();

        assertFalse(m_accountAdmin.getAccount(creds).isPresent());
    }

    @Test
    public void testGetAccount_WithSuperfluousCredentials() throws Exception {
        Map<String, String> creds = createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN);
        // Add some additional credentials that aren't present in the stored account...
        creds.put("type", "local");
        creds.put("other", "token");

        Optional<Account> account = m_accountAdmin.getAccount(creds);
        assertNotNull(account);

        assertTrue(account.isPresent());
    }

    @Test
    public void testRemoveAccount() throws Exception {
        m_accountAdmin.updated(asDictionary(KEY_ACCOUNT_REMOVAL_ALLOWED, "true"));

        Account account = m_accountAdmin.removeAccount(EXISTING_ACCOUNT_ID);
        assertNotNull(account);

        assertEquals(EXISTING_ACCOUNT_ID, account.getId());
        assertEquals(EXISTING_ACCOUNT_ID, account.getCredentials().get("email"));
    }

    @Test
    public void testRemoveAccount_NonExistingAccount() throws Exception {
        m_accountAdmin.updated(asDictionary(KEY_ACCOUNT_REMOVAL_ALLOWED, "true"));

        m_rule.expect(NoSuchAccountException.class);

        assertNull(m_accountAdmin.removeAccount(NON_EXISTING_ACCOUNT_ID));
    }

    @Test
    public void testRemoveAccount_NotAllowed() throws Exception {
        m_accountAdmin.updated(asDictionary(KEY_ACCOUNT_REMOVAL_ALLOWED, "false"));

        m_rule.expect(AccountException.class);

        assertNull(m_accountAdmin.removeAccount(EXISTING_ACCOUNT_ID));
    }

    @Test
    public void testRemoveAccount_NotAllowedByBackend() throws Exception {
        m_accountAdmin.updated(asDictionary(KEY_ACCOUNT_REMOVAL_ALLOWED, "true"));
        ((MockAccountAdminBackend) m_backend).setRemovalSupported(false);

        m_rule.expect(AccountException.class);

        assertNull(m_accountAdmin.removeAccount(EXISTING_ACCOUNT_ID));
    }

    @Test
    public void testResetCredentials_Forced() throws Exception {
        Account account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, true /* forced */);

        assertEquals(EXISTING_ACCOUNT_ID, account.getAccessToken().get());

        assertEquals(State.FORCED_CREDENTIALS_RESET, account.getState());

        verify(m_backend).update(account);
    }

    @Test
    public void testResetCredentials_ForcedFlagNotCleared() throws Exception {
        Account account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, true /* forced */);

        assertEquals(EXISTING_ACCOUNT_ID, account.getAccessToken().get());

        assertEquals(State.FORCED_CREDENTIALS_RESET, account.getState());

        m_rule.expect(AccountCredentialResetException.class);

        assertNull(m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)));
    }

    @Test
    public void testResetCredentials_ForcedTwice() throws Exception {
        Account account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, true /* forced */);

        assertTrue(account.getAccessToken().isPresent());

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, true /* forced */);

        assertEquals(State.FORCED_CREDENTIALS_RESET, account.getState());

        verify(m_backend, atLeast(2)).update(account);
    }

    @Test
    public void testResetCredentials_LockedAccount() throws Exception {
        m_rule.expect(AccountLockedException.class);

        assertNull(m_accountAdmin.resetCredentials(LOCKED_ACCOUNT_ID, false /* forced */));
    }

    @Test
    public void testResetCredentials_NonExistingAccount() throws Exception {
        m_rule.expect(NoSuchAccountException.class);

        assertNull(m_accountAdmin.resetCredentials(NON_EXISTING_ACCOUNT_ID, false /* forced */));
    }

    @Test
    public void testResetCredentials_RequestForcedResetAfterVoluntaryReset() throws Exception {
        Account account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);

        assertTrue(account.getAccessToken().isPresent());
        assertEquals(State.VOLUNTARY_CREDENTIALS_RESET, account.getState());

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, true /* forced */);

        assertEquals(State.FORCED_CREDENTIALS_RESET, account.getState());

        verify(m_backend, atLeast(2)).update(account);
    }

    @Test
    public void testResetCredentials_RequestVoluntaryResetAfterForcedReset() throws Exception {
        Account account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, true /* forced */);

        assertTrue(account.getAccessToken().isPresent());
        assertEquals(State.FORCED_CREDENTIALS_RESET, account.getState());

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);

        assertEquals(State.FORCED_CREDENTIALS_RESET, account.getState());

        verify(m_backend, atLeast(2)).update(account);
    }

    @Test
    public void testResetCredentials_Twice() throws Exception {
        Account account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);

        assertTrue(account.getAccessToken().isPresent());
        assertEquals(State.VOLUNTARY_CREDENTIALS_RESET, account.getState());

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);

        assertEquals(State.VOLUNTARY_CREDENTIALS_RESET, account.getState());

        verify(m_backend, atLeast(2)).update(account);
    }

    @Test
    public void testResetCredentials_UnverifiedAccount() throws Exception {
        Account account = m_accountAdmin.createAccount(createCredentials(NEW_ACCOUNT_ID, SECRET_PLAIN));
        assertNotNull(account);

        m_rule.expect(AccountCredentialResetException.class);

        assertNull(m_accountAdmin.resetCredentials(NEW_ACCOUNT_ID, true /* forced */));
    }

    @Test
    public void testResetCredentials_Voluntary() throws Exception {
        Account account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        assertFalse(account.getAccessToken().isPresent());

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);

        assertTrue(account.getAccessToken().isPresent());
        assertEquals(State.VOLUNTARY_CREDENTIALS_RESET, account.getState());

        verify(m_backend).update(account);
    }

    @Test
    public void testResetCredentials_VoluntaryFlagClearedAfterSuccessfulGet() throws Exception {
        Account account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);

        assertEquals(State.VOLUNTARY_CREDENTIALS_RESET, account.getState());

        account = m_accountAdmin.getAccount(createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN)).get();

        verify(m_backend, atLeast(2)).update(account);

        assertEquals(State.NORMAL, account.getState());
    }

    @Test
    public void testUpdateAccount_AccountValidationFails() throws Exception {
        Map<String, String> creds = createCredentials(EXISTING_ACCOUNT_ID, "secret");

        doThrow(new AccountValidationException()).when(m_accountValidator).validate(any());

        m_rule.expect(AccountValidationException.class);

        assertNull(m_accountAdmin.updateAccount(creds, creds));
    }

    @Test
    public void testUpdateAccount_LockedAccount() throws Exception {
        Map<String, String> creds = createCredentials(LOCKED_ACCOUNT_ID, "bad");

        m_rule.expect(AccountLockedException.class);

        assertNull(m_accountAdmin.updateAccount(creds, creds));
    }

    @Test
    public void testUpdateAccount_NonExistingAccount() throws Exception {
        m_rule.expect(NoSuchAccountException.class);

        Map<String, String> creds = createCredentials(NON_EXISTING_ACCOUNT_ID, "bad");

        assertNull(m_accountAdmin.updateAccount(creds, creds));
    }

    @Test
    public void testUpdateAccount_NoResetTokenRequested() throws Exception {
        m_rule.expect(NoSuchAccountException.class);

        assertNull(m_accountAdmin.updateAccount(createCredentials(EXISTING_ACCOUNT_ID, "password"), EXISTING_ACCOUNT_ID));
    }

    @Test
    public void testUpdateAccount_WithInvalidResetToken() throws Exception {
        Account account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);
        assertTrue(account.getAccessToken().isPresent());

        m_rule.expect(NoSuchAccountException.class);

        assertNull(m_accountAdmin.updateAccount(createCredentials(EXISTING_ACCOUNT_ID, "password"), "invalidToken"));
    }

    @Test
    public void testUpdateAccount_WithoutResetToken() throws Exception {
        Map<String, String> oldCreds = createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN);
        Map<String, String> newCreds = createCredentials(EXISTING_ACCOUNT_ID, PASSWORD_PLAIN);

        Account account = m_accountAdmin.updateAccount(oldCreds, newCreds);
        assertNotNull(account);

        assertEquals(EXISTING_ACCOUNT_ID, account.getId());
        assertEquals(EXISTING_ACCOUNT_ID, account.getCredentials().get("email"));
        assertEquals(PASSWORD_SHA256, account.getCredentials().get("password"));
        assertEquals(State.NORMAL, account.getState());
        assertEquals(Optional.empty(), account.getAccessToken());
    }

    @Test
    public void testUpdateAccount_WithoutResetToken_ForcedUpdate() throws Exception {
        Account account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, true /* forced */);
        assertTrue(account.getAccessToken().isPresent());

        Map<String, String> oldCreds = createCredentials(EXISTING_ACCOUNT_ID, SECRET_PLAIN);
        Map<String, String> newCreds = createCredentials(EXISTING_ACCOUNT_ID, "password");

        m_rule.expect(AccountCredentialResetException.class);

        assertNotNull(m_accountAdmin.updateAccount(oldCreds, newCreds));
    }

    @Test
    public void testUpdateAccount_WithoutResetToken_InvalidOldCredentials() throws Exception {
        Map<String, String> oldCreds = createCredentials(EXISTING_ACCOUNT_ID, "incorrect");
        Map<String, String> newCreds = createCredentials(EXISTING_ACCOUNT_ID, "password");

        m_rule.expect(NoSuchAccountException.class);

        assertNull(m_accountAdmin.updateAccount(oldCreds, newCreds));
    }

    @Test
    public void testUpdateAccount_WithResetToken() throws Exception {
        Account account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);
        assertTrue(account.getAccessToken().isPresent());

        account = m_accountAdmin.updateAccount(createCredentials(EXISTING_ACCOUNT_ID, PASSWORD_PLAIN), EXISTING_ACCOUNT_ID);

        assertEquals(EXISTING_ACCOUNT_ID, account.getId());
        assertEquals(EXISTING_ACCOUNT_ID, account.getCredentials().get("email"));
        assertEquals(PASSWORD_SHA256, account.getCredentials().get("password"));
        assertEquals(State.NORMAL, account.getState());
        assertEquals(Optional.empty(), account.getAccessToken());
    }

    @Test
    public void testUpdateAccount_WithResetToken_AccountValidationFails() throws Exception {
        Account account = m_accountAdmin.resetCredentials(EXISTING_ACCOUNT_ID, false /* forced */);
        assertTrue(account.getAccessToken().isPresent());

        doThrow(new AccountValidationException()).when(m_accountValidator).validate(any());

        m_rule.expect(AccountValidationException.class);

        assertNull(m_accountAdmin.updateAccount(createCredentials(EXISTING_ACCOUNT_ID, "password"), EXISTING_ACCOUNT_ID));
    }

    @Test
    public void testUpdateAccount_WithResetToken_LockedAccount() throws Exception {
        m_rule.expect(AccountLockedException.class);

        assertNull(m_accountAdmin.updateAccount(createCredentials(LOCKED_ACCOUNT_ID, "password"), LOCKED_ACCOUNT_ID));
    }

    @Test
    public void testVerifyAccount() throws Exception {
        Account account = m_accountAdmin.createAccount(createCredentials(NEW_ACCOUNT_ID, SECRET_PLAIN));
        assertNotNull(account);

        account = m_accountAdmin.verifyAccount(NEW_ACCOUNT_ID, NEW_ACCOUNT_ID);
        assertNotNull(account);

        assertEquals(NEW_ACCOUNT_ID, account.getId());
        assertEquals(NEW_ACCOUNT_ID, account.getCredentials().get("email"));
        assertEquals(SECRET_SHA256, account.getCredentials().get("password"));
        assertEquals(State.NORMAL, account.getState());
        assertEquals(Optional.empty(), account.getAccessToken());
    }

    @Test
    public void testVerifyAccount_WithInvalidVerificationToken() throws Exception {
        Account account = m_accountAdmin.createAccount(createCredentials(NEW_ACCOUNT_ID, SECRET_PLAIN));
        assertNotNull(account);

        m_rule.expect(AccountException.class);

        assertNull(m_accountAdmin.verifyAccount(NEW_ACCOUNT_ID, "invalidToken"));
    }

    @Test
    public void testVerifyAccount_WithInvalidVerificationToken2() throws Exception {
        m_rule.expect(AccountException.class);

        assertNull(m_accountAdmin.verifyAccount(EXISTING_ACCOUNT_ID, EXISTING_ACCOUNT_ID));
    }

    @Test
    public void testVerifyAccount_WithResetToken_LockedAccount() throws Exception {
        m_rule.expect(AccountLockedException.class);

        assertNull(m_accountAdmin.verifyAccount(LOCKED_ACCOUNT_ID, LOCKED_ACCOUNT_ID));
    }
}
Tech Fingerprint

Alerts (2)

'String password' Security Critical: Storing passwords or sensitive secrets directly in String objects is insecure. Strings are immutable and pooled, making them hard to clear from memory reliably. Use `char[]` instead and explicitly clear it after use.
114
Complexity hotspot; line 127 (total complexity: 3)
127