Skip to content

Commit

Permalink
Update badge resource tests to auth via URI query
Browse files Browse the repository at this point in the history 
Update tests to focus on API authentication via URI query parameter, but
keep some tests that test header authentication as that remains an
option.

Requires  stevespringett/Alpine#641

Signed-off-by: Kirill.Sybin <kirill.sybin@lex-com.net>
  • Loading branch information
Kirill.Sybin committed Sep 3, 2024
1 parent 59be490 commit 2790e1c
Show file tree
Hide file tree
Showing 2 changed files with 205 additions and 28 deletions.
1 change: 1 addition & 0 deletions src/test/java/org/dependencytrack/ResourceTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ public abstract class ResourceTest {
protected final String SIZE = "size";
protected final String TOTAL_COUNT_HEADER = "X-Total-Count";
protected final String X_API_KEY = "X-Api-Key";
protected final String API_KEY = "apiKey";
protected final String V1_TAG = "/v1/tag";

// Hashing is expensive. Do it once and re-use across tests as much as possible.
Expand Down
232 changes: 204 additions & 28 deletions src/test/java/org/dependencytrack/resources/v1/BadgeResourceTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,20 @@ public class BadgeResourceTest extends ResourceTest {
public void projectVulnerabilitiesByUuidTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

Project project = qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/vulns/project/" + project.getUuid())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals("image/svg+xml", response.getHeaderString("Content-Type"));
Assert.assertTrue(isLikelySvg(getPlainTextBody(response)));
}

@Test
public void projectVulnerabilitiesByUuidWithHeaderAuthenticationTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

Project project = qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/vulns/project/" + project.getUuid()).request()
.header(X_API_KEY, apiKey)
Expand All @@ -66,8 +80,9 @@ public void projectVulnerabilitiesByUuidTest() {
public void projectVulnerabilitiesByUuidProjectNotFoundTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

Response response = jersey.target(V1_BADGE + "/vulns/project/" + UUID.randomUUID()).request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/vulns/project/" + UUID.randomUUID())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(404, response.getStatus(), 0);
}
Expand All @@ -85,8 +100,9 @@ public void projectVulnerabilitiesByUuidMissingAuthenticationTest() {
@Test
public void projectVulnerabilitiesByUuidMissingPermissionTest() {
Project project = qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/vulns/project/" + project.getUuid()).request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/vulns/project/" + project.getUuid())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(403, response.getStatus(), 0);
}
Expand All @@ -109,6 +125,33 @@ public void projectVulnerabilitiesByUuidWithAclAccessTest() {
project.setAccessTeams(List.of(team));
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/vulns/project/" + project.getUuid())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals("image/svg+xml", response.getHeaderString("Content-Type"));
Assert.assertTrue(isLikelySvg(getPlainTextBody(response)));
}

@Test
public void projectVulnerabilitiesByUuidWithAclAccessWithHeaderAuthenticationTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createConfigProperty(
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getGroupName(),
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyName(),
"true",
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyType(),
null
);

Project project = new Project();
project.setName("Acme Example");
project.setVersion("1.0.0");
project.setAccessTeams(List.of(team));
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/vulns/project/" + project.getUuid()).request()
.header(X_API_KEY, apiKey)
.get(Response.class);
Expand All @@ -134,8 +177,9 @@ public void projectVulnerabilitiesByUuidWithAclNoAccessTest() {
project.setVersion("1.0.0");
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/vulns/project/" + project.getUuid()).request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/vulns/project/" + project.getUuid())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(403, response.getStatus(), 0);
}
Expand All @@ -144,6 +188,20 @@ public void projectVulnerabilitiesByUuidWithAclNoAccessTest() {
public void projectVulnerabilitiesByNameAndVersionTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals("image/svg+xml", response.getHeaderString("Content-Type"));
Assert.assertTrue(isLikelySvg(getPlainTextBody(response)));
}

@Test
public void projectVulnerabilitiesByNameAndVersionWithHeaderAuthenticationTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.0.0").request()
.header(X_API_KEY, apiKey)
Expand All @@ -157,8 +215,9 @@ public void projectVulnerabilitiesByNameAndVersionTest() {
public void projectVulnerabilitiesByNameAndVersionProjectNotFoundTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

Response response = jersey.target(V1_BADGE + "/vulns/project/ProjectNameDoesNotExist/1.0.0").request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/vulns/project/ProjectNameDoesNotExist/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(404, response.getStatus(), 0);
}
Expand All @@ -168,8 +227,9 @@ public void projectVulnerabilitiesByNameAndVersionVersionNotFoundTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.2.0").request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.2.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(404, response.getStatus(), 0);
}
Expand All @@ -187,8 +247,9 @@ public void projectVulnerabilitiesByNameAndVersionMissingAuthenticationTest() {
@Test
public void projectVulnerabilitiesByNameAndVersionMissingPermissionTest() {
qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.0.0").request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(403, response.getStatus(), 0);
}
Expand All @@ -211,6 +272,33 @@ public void projectVulnerabilitiesByNameAndVersionWithAclAccessTest() {
project.setAccessTeams(List.of(team));
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals("image/svg+xml", response.getHeaderString("Content-Type"));
Assert.assertTrue(isLikelySvg(getPlainTextBody(response)));
}

@Test
public void projectVulnerabilitiesByNameAndVersionWithAclAccessWithHeaderAuthenticationTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createConfigProperty(
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getGroupName(),
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyName(),
"true",
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyType(),
null
);

Project project = new Project();
project.setName("Acme Example");
project.setVersion("1.0.0");
project.setAccessTeams(List.of(team));
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.0.0").request()
.header(X_API_KEY, apiKey)
.get(Response.class);
Expand All @@ -236,8 +324,9 @@ public void projectVulnerabilitiesByNameAndVersionWithAclNoAccessTest() {
project.setVersion("1.0.0");
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.0.0").request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/vulns/project/Acme%20Example/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(403, response.getStatus(), 0);
}
Expand All @@ -246,6 +335,20 @@ public void projectVulnerabilitiesByNameAndVersionWithAclNoAccessTest() {
public void projectPolicyViolationsByUuidTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

Project project = qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/violations/project/" + project.getUuid())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals("image/svg+xml", response.getHeaderString("Content-Type"));
Assert.assertTrue(isLikelySvg(getPlainTextBody(response)));
}

@Test
public void projectPolicyViolationsByUuidWithHeaderAuthenticationTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

Project project = qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/violations/project/" + project.getUuid()).request()
.header(X_API_KEY, apiKey)
Expand All @@ -259,8 +362,9 @@ public void projectPolicyViolationsByUuidTest() {
public void projectPolicyViolationsByUuidProjectNotFoundTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

Response response = jersey.target(V1_BADGE + "/violations/project/" + UUID.randomUUID()).request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/violations/project/" + UUID.randomUUID())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(404, response.getStatus(), 0);
}
Expand All @@ -278,8 +382,9 @@ public void projectPolicyViolationsByUuidMissingAuthenticationTest() {
@Test
public void projectPolicyViolationsByUuidMissingPermissionTest() {
Project project = qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/violations/project/" + project.getUuid()).request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/violations/project/" + project.getUuid())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(403, response.getStatus(), 0);
}
Expand All @@ -302,6 +407,33 @@ public void projectPolicyViolationsByUuidWithAclAccessTest() {
project.setAccessTeams(List.of(team));
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/violations/project/" + project.getUuid())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals("image/svg+xml", response.getHeaderString("Content-Type"));
Assert.assertTrue(isLikelySvg(getPlainTextBody(response)));
}

@Test
public void projectPolicyViolationsByUuidWithAclAccessWithHeaderAuthenticationTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createConfigProperty(
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getGroupName(),
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyName(),
"true",
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyType(),
null
);

Project project = new Project();
project.setName("Acme Example");
project.setVersion("1.0.0");
project.setAccessTeams(List.of(team));
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/violations/project/" + project.getUuid()).request()
.header(X_API_KEY, apiKey)
.get(Response.class);
Expand All @@ -327,8 +459,9 @@ public void projectPolicyViolationsByUuidWithAclNoAccessTest() {
project.setVersion("1.0.0");
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/violations/project/" + project.getUuid()).request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/violations/project/" + project.getUuid())
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(403, response.getStatus(), 0);
}
Expand All @@ -337,6 +470,20 @@ public void projectPolicyViolationsByUuidWithAclNoAccessTest() {
public void projectPolicyViolationsByNameAndVersionTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals("image/svg+xml", response.getHeaderString("Content-Type"));
Assert.assertTrue(isLikelySvg(getPlainTextBody(response)));
}

@Test
public void projectPolicyViolationsByNameAndVersionWithHeaderAuthenticationTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.0.0").request()
.header(X_API_KEY, apiKey)
Expand All @@ -350,8 +497,9 @@ public void projectPolicyViolationsByNameAndVersionTest() {
public void projectPolicyViolationsByNameAndVersionProjectNotFoundTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

Response response = jersey.target(V1_BADGE + "/violations/project/ProjectNameDoesNotExist/1.0.0").request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/violations/project/ProjectNameDoesNotExist/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(404, response.getStatus(), 0);
}
Expand All @@ -361,8 +509,9 @@ public void projectPolicyViolationsByNameAndVersionVersionNotFoundTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.2.0").request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.2.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(404, response.getStatus(), 0);
}
Expand All @@ -380,8 +529,9 @@ public void projectPolicyViolationsByNameAndVersionMissingAuthenticationTest() {
@Test
public void projectPolicyViolationsByNameAndVersionMissingPermissionTest() {
qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.0.0").request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(403, response.getStatus(), 0);
}
Expand All @@ -402,6 +552,31 @@ public void projectPolicyViolationsByNameAndVersionWithAclAccessTest() {
project.setAccessTeams(List.of(team));
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals("image/svg+xml", response.getHeaderString("Content-Type"));
Assert.assertTrue(isLikelySvg(getPlainTextBody(response)));
}

@Test
public void projectPolicyViolationsByNameAndVersionWithAclAccessWithHeaderAuthenticationTest() {
initializeWithPermissions(Permissions.VIEW_BADGES);

qm.createConfigProperty(
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getGroupName(),
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyName(),
"true",
ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyType(),
null
);

Project project = qm.createProject("Acme Example", null, "1.0.0", null, null, null, true, false);
project.setAccessTeams(List.of(team));
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.0.0").request()
.header(X_API_KEY, apiKey)
.get(Response.class);
Expand All @@ -427,8 +602,9 @@ public void projectPolicyViolationsByNameAndVersionWithAclNoAccessTest() {
project.setVersion("1.0.0");
qm.persist(project);

Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.0.0").request()
.header(X_API_KEY, apiKey)
Response response = jersey.target(V1_BADGE + "/violations/project/Acme%20Example/1.0.0")
.queryParam(API_KEY, apiKey)
.request()
.get(Response.class);
Assert.assertEquals(403, response.getStatus(), 0);
}
Expand Down

0 comments on commit 2790e1c

Please sign in to comment.