Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dcp-967 managed access #152

Merged
merged 3 commits into from
Nov 10, 2023
Merged

dcp-967 managed access #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b138d58
dcp-967 managed access - require authentication for all read operations
amnonkhen Nov 10, 2023
7b39acd
dcp-967 managed access: root resource,HAL browser to be publically av…
amnonkhen Nov 10, 2023
289d50b
Merge remote-tracking branch 'origin/feature/dcp-967-managed-access' …
amnonkhen Nov 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 26 additions & 6 deletions src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
package org.humancellatlas.ingest.security;

import org.hamcrest.CoreMatchers;
import org.humancellatlas.ingest.config.MigrationConfiguration;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
Expand All @@ -10,13 +12,14 @@
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.mock.mockito.MockBean;
import org.springframework.http.MediaType;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.test.web.servlet.MockMvc;

import java.util.stream.Stream;

import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;

@SpringBootTest
@AutoConfigureDataMongo()
Expand Down Expand Up @@ -51,14 +54,14 @@ class Authorised {
@MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes")
@WithMockUser
public void apiAccessWithTrailingSlashIsPermitted(String metadataTypePlural) throws Exception {
checkGetUrlIsAuthorized("/" + metadataTypePlural + "/");
checkGetUrlIsOk("/" + metadataTypePlural + "/");
}

@ParameterizedTest
@MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes")
@WithMockUser
public void apiAccessNoTrailingSlashIsPermitted(String metadataTypePlural) throws Exception {
checkGetUrlIsAuthorized("/" + metadataTypePlural);
checkGetUrlIsOk("/" + metadataTypePlural);
}

}
Expand All @@ -73,19 +76,36 @@ public void apiAccessWithTrailingSlashIsBlocked(String metadataTypePlural) throw

@ParameterizedTest
@MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes")

public void apiAccessNoTrailingSlashIsBlocked(String metadataTypePlural) throws Exception {
checkGetUrlIsUnauthorized("/" + metadataTypePlural);
}
}


}

@Nested
class RootResource {
@Test
public void checkUnauthenticatedJson_IsAllowed() throws Exception {
webApp.perform(get("/")
.accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
.andExpect(jsonPath("_links").hasJsonPath());
}
@Test
public void checkUnauthenticatedHtml_IsAllowed() throws Exception {
webApp.perform(get("/browser/index.html")
.accept(MediaType.TEXT_HTML))
.andExpect(status().isOk())
.andExpect(content().string(CoreMatchers.containsString("The HAL Browser (for Spring Data REST)")));
}
}
private void checkGetUrlIsUnauthorized(String url) throws Exception {
webApp.perform(
get(url)
).andExpect(status().isUnauthorized());
}
private void checkGetUrlIsAuthorized(String url) throws Exception {
private void checkGetUrlIsOk(String url) throws Exception {
webApp.perform(
get(url)
).andExpect(status().isOk());
Expand Down
2 changes: 2 additions & 0 deletions src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,8 @@ protected void configure(HttpSecurity http) throws Exception {
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.cors().and()
.authorizeRequests()
.antMatchers(GET, "/").permitAll()
.antMatchers(GET, "/browser/**").permitAll()
.antMatchers(POST, "/submissionEnvelopes").authenticated()
.antMatchers(POST, "/projects").authenticated()
.antMatchers(POST, "/projects/suggestion").permitAll()
Expand Down