Merge pull request #25 from CCC-MF/issue_24

Möglichkeit zu Berechtigungsprüfung auf Patienten- und Prozedurdaten
author: Paul-Christian Volkmer 2023-04-10 16:45:58 +0200
committer: GitHub 2023-04-10 16:45:58 +0200
commit: 262ed35378a64490e335d95a46f56bb51748c10d (patch)
tree: 09326cbfd5e71f3db1603cef027c1968aaefedbe /src/test/java/DNPM
parent: 08082f9a7d787c813ce32301412e41ad0137e253 (diff)
parent: f2dc5b014d68fa61bacd5f9928eedd0c4c882070 (diff)
5 files changed, 686 insertions, 0 deletions
diff --git a/src/test/java/DNPM/security/DelegatingDataBasedPermissionEvaluatorTest.java b/src/test/java/DNPM/security/DelegatingDataBasedPermissionEvaluatorTest.java
new file mode 100644
index 0000000..1d8ecf8
--- /dev/null
+++ b/src/test/java/DNPM/security/DelegatingDataBasedPermissionEvaluatorTest.java
@@ -0,0 +1,122 @@
+package DNPM.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.*;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class DelegatingDataBasedPermissionEvaluatorTest {
+
+    private IOnkostarApi onkostarApi;
+
+    private PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator;
+
+    private FormBasedPermissionEvaluator formBasedPermissionEvaluator;
+
+    private DelegatingDataBasedPermissionEvaluator delegatingDataBasedPermissionEvaluator;
+
+    @BeforeEach
+    void setup(
+            @Mock IOnkostarApi onkostarApi,
+            @Mock PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator,
+            @Mock FormBasedPermissionEvaluator formBasedPermissionEvaluator
+            ) {
+        this.onkostarApi = onkostarApi;
+        this.personPoolBasedPermissionEvaluator = personPoolBasedPermissionEvaluator;
+        this.formBasedPermissionEvaluator = formBasedPermissionEvaluator;
+
+        this.delegatingDataBasedPermissionEvaluator = new DelegatingDataBasedPermissionEvaluator(
+                List.of(personPoolBasedPermissionEvaluator, formBasedPermissionEvaluator)
+        );
+    }
+
+    @Test
+    void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByObject() {
+        when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
+        when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
+
+        var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ);
+
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByIdAndType() {
+        when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
+        when(formBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
+
+        var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ);
+
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByObject() {
+        when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
+        when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(false);
+
+        var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ);
+
+        assertThat(actual).isFalse();
+    }
+
+    @Test
+    void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByIdAndType() {
+        when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(false);
+
+        var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ);
+
+        assertThat(actual).isFalse();
+    }
+
+}
+
+class DummyAuthentication implements Authentication {
+    @Override
+    public String getName() {
+        return "dummy";
+    }
+
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return null;
+    }
+
+    @Override
+    public Object getCredentials() {
+        return null;
+    }
+
+    @Override
+    public Object getDetails() {
+        return null;
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return null;
+    }
+
+    @Override
+    public boolean isAuthenticated() {
+        return false;
+    }
+
+    @Override
+    public void setAuthenticated(boolean b) throws IllegalArgumentException {
+
+    }
+}
+\ No newline at end of file
diff --git a/src/test/java/DNPM/security/FormBasedPermissionEvaluatorTest.java b/src/test/java/DNPM/security/FormBasedPermissionEvaluatorTest.java
new file mode 100644
index 0000000..ca3d314
--- /dev/null
+++ b/src/test/java/DNPM/security/FormBasedPermissionEvaluatorTest.java
@@ -0,0 +1,112 @@
+package DNPM.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.core.Authentication;
+
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class FormBasedPermissionEvaluatorTest {
+
+    private IOnkostarApi onkostarApi;
+
+    private Authentication dummyAuthentication;
+
+    private SecurityService securityService;
+
+    private FormBasedPermissionEvaluator permissionEvaluator;
+
+    @BeforeEach
+    void setup(
+            @Mock IOnkostarApi onkostarApi,
+            @Mock SecurityService securityService,
+            @Mock DummyAuthentication dummyAuthentication
+    ) {
+        this.onkostarApi = onkostarApi;
+        this.dummyAuthentication = dummyAuthentication;
+        this.securityService = securityService;
+
+        this.permissionEvaluator = new FormBasedPermissionEvaluator(
+                onkostarApi, securityService
+        );
+    }
+
+    @Test
+    void testShouldGrantPermissionByProcedure() {
+        when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5"));
+
+        var object = new Procedure(onkostarApi);
+        object.setFormName("OS.Form2");
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldGrantPermissionByProcedureId() {
+        when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5"));
+
+        doAnswer(invocationOnMock -> {
+            var object = new Procedure(onkostarApi);
+            object.setFormName("OS.Form2");
+            return object;
+        }).when(onkostarApi).getProcedure(anyInt());
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ);
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldDenyPermissionByProcedure() {
+        when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5"));
+
+        var object = new Procedure(onkostarApi);
+        object.setFormName("OS.Form1");
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+        assertThat(actual).isFalse();
+    }
+
+    @Test
+    void testShouldDenyPermissionByProcedureId() {
+        when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5"));
+
+        doAnswer(invocationOnMock -> {
+            var object = new Procedure(onkostarApi);
+            object.setFormName("OS.Form1");
+            return object;
+        }).when(onkostarApi).getProcedure(anyInt());
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ);
+        assertThat(actual).isFalse();
+    }
+
+    @Test
+    void testShouldVoteForPermissionToPatient() {
+        var object = new Patient(onkostarApi);
+        object.setPersonPoolCode("Pool1");
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldVoteForPermissionToIdOfTypeProcedure() {
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, FormBasedPermissionEvaluator.PATIENT, PermissionType.READ);
+        assertThat(actual).isTrue();
+    }
+
+}
diff --git a/src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java b/src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java
new file mode 100644
index 0000000..a7ae32c
--- /dev/null
+++ b/src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java
@@ -0,0 +1,132 @@
+package DNPM.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class FormBasedSecurityAspectsTest {
+
+    private DummyClass dummyClass;
+
+    private IOnkostarApi onkostarApi;
+
+    private FormBasedPermissionEvaluator permissionEvaluator;
+
+    @BeforeEach
+    void setup(
+            @Mock IOnkostarApi onkostarApi,
+            @Mock FormBasedPermissionEvaluator permissionEvaluator
+    ) {
+        this.onkostarApi = onkostarApi;
+        this.permissionEvaluator = permissionEvaluator;
+
+        // Create proxied instance of DummyClass as done within Onkostar using Spring AOP
+        var dummyClass = new DummyClass(onkostarApi);
+        AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass);
+        FormBasedSecurityAspects securityAspects = new FormBasedSecurityAspects(this.permissionEvaluator);
+        factory.addAspect(securityAspects);
+        this.dummyClass = factory.getProxy();
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithPatientParam() {
+        this.dummyClass.methodWithPatientParam(new Patient(onkostarApi));
+        verify(onkostarApi, times(1)).savePatient(any(Patient.class));
+    }
+
+    @Test
+    void testShouldPreventSecuredMethodCallWithProcedureParam() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var exception = assertThrows(
+                Exception.class,
+                () -> this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi))
+        );
+        assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithProcedureParam() throws Exception {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(true);
+
+        this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi));
+
+        verify(onkostarApi, times(1)).saveProcedure(any(Procedure.class), anyBoolean());
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithPatientReturnValue() {
+        var actual = this.dummyClass.methodWithPatientReturnValue(1);
+        assertThat(actual).isNotNull();
+    }
+
+    @Test
+    void testShouldPreventSecuredMethodCallWithProcedureReturnValue() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var exception = assertThrows(
+                Exception.class,
+                () -> this.dummyClass.methodWithProcedureReturnValue(1)
+        );
+        assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithProcedureReturnValue() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(true);
+
+        var actual = this.dummyClass.methodWithProcedureReturnValue(1);
+
+        assertThat(actual).isNotNull();
+    }
+
+    private static class DummyClass {
+
+        private final IOnkostarApi onkostarApi;
+
+        DummyClass(final IOnkostarApi onkostarApi) {
+            this.onkostarApi = onkostarApi;
+        }
+
+        @FormSecured
+        public void methodWithPatientParam(Patient patient) {
+            this.onkostarApi.savePatient(patient);
+        }
+
+        @FormSecured
+        public void methodWithProcedureParam(Procedure procedure) throws Exception {
+            this.onkostarApi.saveProcedure(procedure, false);
+        }
+
+        @FormSecuredResult
+        public Patient methodWithPatientReturnValue(int id) {
+            var patient = new Patient(this.onkostarApi);
+            patient.setId(id);
+            return patient;
+        }
+
+        @FormSecuredResult
+        public Procedure methodWithProcedureReturnValue(int id) {
+            var procedure = new Procedure(this.onkostarApi);
+            procedure.setId(id);
+            return procedure;
+        }
+    }
+
+}
diff --git a/src/test/java/DNPM/security/PersonPoolBasedPermissionEvaluatorTest.java b/src/test/java/DNPM/security/PersonPoolBasedPermissionEvaluatorTest.java
new file mode 100644
index 0000000..a05f83a
--- /dev/null
+++ b/src/test/java/DNPM/security/PersonPoolBasedPermissionEvaluatorTest.java
@@ -0,0 +1,156 @@
+package DNPM.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.core.Authentication;
+
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class PersonPoolBasedPermissionEvaluatorTest {
+
+    private IOnkostarApi onkostarApi;
+
+    private Authentication dummyAuthentication;
+
+    private PersonPoolBasedPermissionEvaluator permissionEvaluator;
+
+    @BeforeEach
+    void setup(
+            @Mock IOnkostarApi onkostarApi,
+            @Mock SecurityService securityService,
+            @Mock DummyAuthentication dummyAuthentication
+            ) {
+        this.onkostarApi = onkostarApi;
+        this.dummyAuthentication = dummyAuthentication;
+
+        this.permissionEvaluator = new PersonPoolBasedPermissionEvaluator(
+                onkostarApi, securityService
+        );
+
+        when(securityService.getPersonPoolIdsForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("Pool2", "Pool3", "Pool5"));
+    }
+
+    @Test
+    void testShouldGrantPermissionByPatientObject() {
+        var object = new Patient(onkostarApi);
+        object.setPersonPoolCode("Pool2");
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldGrantPermissionByPatientIdAndType() {
+        doAnswer(invocationOnMock -> {
+            var object = new Patient(onkostarApi);
+            object.setPersonPoolCode("Pool2");
+            return object;
+        }).when(onkostarApi).getPatient(anyInt());
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PATIENT, PermissionType.READ);
+
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldDenyPermissionByPatientObject() {
+        var object = new Patient(onkostarApi);
+        object.setPersonPoolCode("Pool1");
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+
+        assertThat(actual).isFalse();
+    }
+
+    @Test
+    void testShouldDenyPermissionByPatientIdAndType() {
+        doAnswer(invocationOnMock -> {
+            var object = new Patient(onkostarApi);
+            object.setPersonPoolCode("Pool1");
+            return object;
+        }).when(onkostarApi).getPatient(anyInt());
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PATIENT, PermissionType.READ);
+
+        assertThat(actual).isFalse();
+    }
+
+    @Test
+    void testShouldGrantPermissionByProcedureObject() {
+        var patient = new Patient(onkostarApi);
+        patient.setPersonPoolCode("Pool2");
+
+        var object = new Procedure(onkostarApi);
+        object.setFormName("OS.Form1");
+        object.setPatient(patient);
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldGrantPermissionByProcedureIdAndType() {
+        doAnswer(invocationOnMock -> {
+            var patient = new Patient(onkostarApi);
+            patient.setPersonPoolCode("Pool2");
+
+            var object = new Procedure(onkostarApi);
+            object.setFormName("OS.Form1");
+            object.setPatient(patient);
+
+            return object;
+        }).when(onkostarApi).getProcedure(anyInt());
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 456, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ);
+
+        assertThat(actual).isTrue();
+    }
+
+    @Test
+    void testShouldDenyPermissionByProcedureObject() {
+        var patient = new Patient(onkostarApi);
+        patient.setPersonPoolCode("Pool1");
+
+        var object = new Procedure(onkostarApi);
+        object.setFormName("OS.Form1");
+        object.setPatient(patient);
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+
+        assertThat(actual).isFalse();
+    }
+
+    @Test
+    void testShouldDenyPermissionByProcedureIdAndType() {
+        doAnswer(invocationOnMock -> {
+            var patient = new Patient(onkostarApi);
+            patient.setPersonPoolCode("Pool1");
+
+            var object = new Procedure(onkostarApi);
+            object.setFormName("OS.Form1");
+            object.setPatient(patient);
+
+            return object;
+        }).when(onkostarApi).getProcedure(anyInt());
+
+        var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ);
+
+        assertThat(actual).isFalse();
+    }
+
+}
+\ No newline at end of file
diff --git a/src/test/java/DNPM/security/PersonPoolBasedSecurityAspectsTest.java b/src/test/java/DNPM/security/PersonPoolBasedSecurityAspectsTest.java
new file mode 100644
index 0000000..b20127e
--- /dev/null
+++ b/src/test/java/DNPM/security/PersonPoolBasedSecurityAspectsTest.java
@@ -0,0 +1,164 @@
+package DNPM.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class PersonPoolBasedSecurityAspectsTest {
+
+    private DummyClass dummyClass;
+
+    private IOnkostarApi onkostarApi;
+
+    private PersonPoolBasedPermissionEvaluator permissionEvaluator;
+
+    @BeforeEach
+    void setup(
+            @Mock IOnkostarApi onkostarApi,
+            @Mock PersonPoolBasedPermissionEvaluator permissionEvaluator
+    ) {
+        this.onkostarApi = onkostarApi;
+        this.permissionEvaluator = permissionEvaluator;
+
+        // Create proxied instance of DummyClass as done within Onkostar using Spring AOP
+        var dummyClass = new DummyClass(onkostarApi);
+        AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass);
+        PersonPoolBasedSecurityAspects securityAspects = new PersonPoolBasedSecurityAspects(this.permissionEvaluator);
+        factory.addAspect(securityAspects);
+        this.dummyClass = factory.getProxy();
+    }
+
+    @Test
+    void testShouldPreventSecuredMethodCallWithPatientParam() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var exception = assertThrows(
+                Exception.class,
+                () -> this.dummyClass.methodWithPatientParam(new Patient(onkostarApi))
+        );
+        assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithPatientParam() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+                .thenReturn(true);
+
+        this.dummyClass.methodWithPatientParam(new Patient(onkostarApi));
+
+        verify(onkostarApi, times(1)).savePatient(any(Patient.class));
+    }
+
+    @Test
+    void testShouldPreventSecuredMethodCallWithProcedureParam() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var exception = assertThrows(
+                Exception.class,
+                () -> this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi))
+        );
+        assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithProcedureParam() throws Exception {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(true);
+
+        this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi));
+
+        verify(onkostarApi, times(1)).saveProcedure(any(Procedure.class), anyBoolean());
+    }
+
+    @Test
+    void testShouldPreventSecuredMethodCallWithPatientReturnValue() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var exception = assertThrows(
+                Exception.class,
+                () -> this.dummyClass.methodWithPatientReturnValue(1)
+        );
+        assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithPatientReturnValue() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+                .thenReturn(true);
+
+        var actual = this.dummyClass.methodWithPatientReturnValue(1);
+
+        assertThat(actual).isNotNull();
+    }
+
+    @Test
+    void testShouldPreventSecuredMethodCallWithProcedureReturnValue() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var exception = assertThrows(
+                Exception.class,
+                () -> this.dummyClass.methodWithProcedureReturnValue(1)
+        );
+        assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+    }
+
+    @Test
+    void testShouldAllowSecuredMethodCallWithProcedureReturnValue() {
+        when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+                .thenReturn(true);
+
+        var actual = this.dummyClass.methodWithProcedureReturnValue(1);
+
+        assertThat(actual).isNotNull();
+    }
+
+    private static class DummyClass {
+
+        private final IOnkostarApi onkostarApi;
+
+        DummyClass(final IOnkostarApi onkostarApi) {
+            this.onkostarApi = onkostarApi;
+        }
+
+        @PersonPoolSecured
+        public void methodWithPatientParam(Patient patient) {
+            this.onkostarApi.savePatient(patient);
+        }
+
+        @PersonPoolSecured
+        public void methodWithProcedureParam(Procedure procedure) throws Exception {
+            this.onkostarApi.saveProcedure(procedure, false);
+        }
+
+        @PersonPoolSecuredResult
+        public Patient methodWithPatientReturnValue(int id) {
+            var patient = new Patient(this.onkostarApi);
+            patient.setId(id);
+            return patient;
+        }
+
+        @PersonPoolSecuredResult
+        public Procedure methodWithProcedureReturnValue(int id) {
+            var procedure = new Procedure(this.onkostarApi);
+            procedure.setId(id);
+            return procedure;
+        }
+    }
+
+}
author	Paul-Christian Volkmer	2023-04-10 16:45:58 +0200
committer	GitHub	2023-04-10 16:45:58 +0200
commit	262ed35378a64490e335d95a46f56bb51748c10d (patch)
tree	09326cbfd5e71f3db1603cef027c1968aaefedbe /src/test/java/DNPM
parent	08082f9a7d787c813ce32301412e41ad0137e253 (diff)
parent	f2dc5b014d68fa61bacd5f9928eedd0c4c882070 (diff)