Merge pull request #25 from CCC-MF/issue_24

Möglichkeit zu Berechtigungsprüfung auf Patienten- und Prozedurdaten
author: Paul-Christian Volkmer 2023-04-10 16:45:58 +0200
committer: GitHub 2023-04-10 16:45:58 +0200
commit: 262ed35378a64490e335d95a46f56bb51748c10d (patch)
tree: 09326cbfd5e71f3db1603cef027c1968aaefedbe /src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java
parent: 08082f9a7d787c813ce32301412e41ad0137e253 (diff)
parent: f2dc5b014d68fa61bacd5f9928eedd0c4c882070 (diff)
1 files changed, 132 insertions, 0 deletions
diff --git a/src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java b/src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java
new file mode 100644
index 0000000..a7ae32c
--- /dev/null
+++ b/src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java
@@ -0,0 +1,132 @@
+package DNPM.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class FormBasedSecurityAspectsTest {
+
+    private DummyClass dummyClass;
+
+    private IOnkostarApi onkostarApi;
+
+    private FormBasedPermissionEvaluator permissionEvaluator;
+
+    @BeforeEach
+    void setup(
+            @Mock IOnkostarApi onkostarApi,
+            @Mock FormBasedPermissionEvaluator permissionEvaluator
+    ) {
+        this.onkostarApi = onkostarApi;
+        this.permissionEvaluator = permissionEvaluator;
+
+        // Create proxied instance of DummyClass as done within Onkostar using Spring AOP
+        var dummyClass = new DummyClass(onkostarApi);
+        AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass);
+        FormBasedSecurityAspects securityAspects = new FormBasedSecurityAspects(this.permissionEvaluator);
+        factory.addAspect(securityAspects);
+        this.dummyClass = factory.getProxy();
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithPatientParam() {
+        this.dummyClass.methodWithPatientParam(new Patient(onkostarApi));
+        verify(onkostarApi, times(1)).savePatient(any(Patient.class));
+    }
+
+    @Test
+    void testShouldPreventSecuredMethodCallWithProcedureParam() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var exception = assertThrows(
+                Exception.class,
+                () -> this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi))
+        );
+        assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithProcedureParam() throws Exception {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(true);
+
+        this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi));
+
+        verify(onkostarApi, times(1)).saveProcedure(any(Procedure.class), anyBoolean());
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithPatientReturnValue() {
+        var actual = this.dummyClass.methodWithPatientReturnValue(1);
+        assertThat(actual).isNotNull();
+    }
+
+    @Test
+    void testShouldPreventSecuredMethodCallWithProcedureReturnValue() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var exception = assertThrows(
+                Exception.class,
+                () -> this.dummyClass.methodWithProcedureReturnValue(1)
+        );
+        assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithProcedureReturnValue() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(true);
+
+        var actual = this.dummyClass.methodWithProcedureReturnValue(1);
+
+        assertThat(actual).isNotNull();
+    }
+
+    private static class DummyClass {
+
+        private final IOnkostarApi onkostarApi;
+
+        DummyClass(final IOnkostarApi onkostarApi) {
+            this.onkostarApi = onkostarApi;
+        }
+
+        @FormSecured
+        public void methodWithPatientParam(Patient patient) {
+            this.onkostarApi.savePatient(patient);
+        }
+
+        @FormSecured
+        public void methodWithProcedureParam(Procedure procedure) throws Exception {
+            this.onkostarApi.saveProcedure(procedure, false);
+        }
+
+        @FormSecuredResult
+        public Patient methodWithPatientReturnValue(int id) {
+            var patient = new Patient(this.onkostarApi);
+            patient.setId(id);
+            return patient;
+        }
+
+        @FormSecuredResult
+        public Procedure methodWithProcedureReturnValue(int id) {
+            var procedure = new Procedure(this.onkostarApi);
+            procedure.setId(id);
+            return procedure;
+        }
+    }
+
+}
author	Paul-Christian Volkmer	2023-04-10 16:45:58 +0200
committer	GitHub	2023-04-10 16:45:58 +0200
commit	262ed35378a64490e335d95a46f56bb51748c10d (patch)
tree	09326cbfd5e71f3db1603cef027c1968aaefedbe /src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java
parent	08082f9a7d787c813ce32301412e41ad0137e253 (diff)
parent	f2dc5b014d68fa61bacd5f9928eedd0c4c882070 (diff)