summaryrefslogtreecommitdiff
path: root/src/test/java/dev/dnpm/security
diff options
context:
space:
mode:
authorPaul-Christian Volkmer2024-09-21 22:10:24 +0200
committerPaul-Christian Volkmer2024-09-21 22:10:24 +0200
commitcc27edc544cec1b892e7c224aec9e6e42342aa39 (patch)
tree3036b92f84a707d769782d63c2b018166623abf5 /src/test/java/dev/dnpm/security
parent93215825f5c8aec0912d562b544f370cffe9cda7 (diff)
refactor: use package name following Java guidelines
Diffstat (limited to 'src/test/java/dev/dnpm/security')
-rw-r--r--src/test/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluatorTest.java122
-rw-r--r--src/test/java/dev/dnpm/security/FormBasedPermissionEvaluatorTest.java112
-rw-r--r--src/test/java/dev/dnpm/security/FormBasedSecurityAspectsTest.java131
-rw-r--r--src/test/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluatorTest.java160
-rw-r--r--src/test/java/dev/dnpm/security/PersonPoolBasedSecurityAspectsTest.java163
5 files changed, 688 insertions, 0 deletions
diff --git a/src/test/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluatorTest.java b/src/test/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluatorTest.java
new file mode 100644
index 0000000..c1e71db
--- /dev/null
+++ b/src/test/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluatorTest.java
@@ -0,0 +1,122 @@
+package dev.dnpm.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.*;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class DelegatingDataBasedPermissionEvaluatorTest {
+
+ private IOnkostarApi onkostarApi;
+
+ private PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator;
+
+ private FormBasedPermissionEvaluator formBasedPermissionEvaluator;
+
+ private DelegatingDataBasedPermissionEvaluator delegatingDataBasedPermissionEvaluator;
+
+ @BeforeEach
+ void setup(
+ @Mock IOnkostarApi onkostarApi,
+ @Mock PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator,
+ @Mock FormBasedPermissionEvaluator formBasedPermissionEvaluator
+ ) {
+ this.onkostarApi = onkostarApi;
+ this.personPoolBasedPermissionEvaluator = personPoolBasedPermissionEvaluator;
+ this.formBasedPermissionEvaluator = formBasedPermissionEvaluator;
+
+ this.delegatingDataBasedPermissionEvaluator = new DelegatingDataBasedPermissionEvaluator(
+ List.of(personPoolBasedPermissionEvaluator, formBasedPermissionEvaluator)
+ );
+ }
+
+ @Test
+ void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByObject() {
+ when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
+ when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
+
+ var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ);
+
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByIdAndType() {
+ when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
+ when(formBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
+
+ var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ);
+
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByObject() {
+ when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
+ when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(false);
+
+ var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ);
+
+ assertThat(actual).isFalse();
+ }
+
+ @Test
+ void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByIdAndType() {
+ when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(false);
+
+ var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ);
+
+ assertThat(actual).isFalse();
+ }
+
+}
+
+class DummyAuthentication implements Authentication {
+ @Override
+ public String getName() {
+ return "dummy";
+ }
+
+ @Override
+ public Collection<? extends GrantedAuthority> getAuthorities() {
+ return null;
+ }
+
+ @Override
+ public Object getCredentials() {
+ return null;
+ }
+
+ @Override
+ public Object getDetails() {
+ return null;
+ }
+
+ @Override
+ public Object getPrincipal() {
+ return null;
+ }
+
+ @Override
+ public boolean isAuthenticated() {
+ return false;
+ }
+
+ @Override
+ public void setAuthenticated(boolean b) throws IllegalArgumentException {
+
+ }
+} \ No newline at end of file
diff --git a/src/test/java/dev/dnpm/security/FormBasedPermissionEvaluatorTest.java b/src/test/java/dev/dnpm/security/FormBasedPermissionEvaluatorTest.java
new file mode 100644
index 0000000..2ce938f
--- /dev/null
+++ b/src/test/java/dev/dnpm/security/FormBasedPermissionEvaluatorTest.java
@@ -0,0 +1,112 @@
+package dev.dnpm.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.core.Authentication;
+
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class FormBasedPermissionEvaluatorTest {
+
+ private IOnkostarApi onkostarApi;
+
+ private Authentication dummyAuthentication;
+
+ private SecurityService securityService;
+
+ private FormBasedPermissionEvaluator permissionEvaluator;
+
+ @BeforeEach
+ void setup(
+ @Mock IOnkostarApi onkostarApi,
+ @Mock SecurityService securityService,
+ @Mock DummyAuthentication dummyAuthentication
+ ) {
+ this.onkostarApi = onkostarApi;
+ this.dummyAuthentication = dummyAuthentication;
+ this.securityService = securityService;
+
+ this.permissionEvaluator = new FormBasedPermissionEvaluator(
+ onkostarApi, securityService
+ );
+ }
+
+ @Test
+ void testShouldGrantPermissionByProcedure() {
+ when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5"));
+
+ var object = new Procedure(onkostarApi);
+ object.setFormName("OS.Form2");
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldGrantPermissionByProcedureId() {
+ when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5"));
+
+ doAnswer(invocationOnMock -> {
+ var object = new Procedure(onkostarApi);
+ object.setFormName("OS.Form2");
+ return object;
+ }).when(onkostarApi).getProcedure(anyInt());
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ);
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldDenyPermissionByProcedure() {
+ when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5"));
+
+ var object = new Procedure(onkostarApi);
+ object.setFormName("OS.Form1");
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+ assertThat(actual).isFalse();
+ }
+
+ @Test
+ void testShouldDenyPermissionByProcedureId() {
+ when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5"));
+
+ doAnswer(invocationOnMock -> {
+ var object = new Procedure(onkostarApi);
+ object.setFormName("OS.Form1");
+ return object;
+ }).when(onkostarApi).getProcedure(anyInt());
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ);
+ assertThat(actual).isFalse();
+ }
+
+ @Test
+ void testShouldVoteForPermissionToPatient() {
+ var object = new Patient(onkostarApi);
+ object.setPersonPoolCode("Pool1");
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldVoteForPermissionToIdOfTypeProcedure() {
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, FormBasedPermissionEvaluator.PATIENT, PermissionType.READ);
+ assertThat(actual).isTrue();
+ }
+
+}
diff --git a/src/test/java/dev/dnpm/security/FormBasedSecurityAspectsTest.java b/src/test/java/dev/dnpm/security/FormBasedSecurityAspectsTest.java
new file mode 100644
index 0000000..ee57688
--- /dev/null
+++ b/src/test/java/dev/dnpm/security/FormBasedSecurityAspectsTest.java
@@ -0,0 +1,131 @@
+package dev.dnpm.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class FormBasedSecurityAspectsTest {
+
+ private DummyClass dummyClass;
+
+ private IOnkostarApi onkostarApi;
+
+ private FormBasedPermissionEvaluator permissionEvaluator;
+
+ @BeforeEach
+ void setup(
+ @Mock IOnkostarApi onkostarApi,
+ @Mock FormBasedPermissionEvaluator permissionEvaluator
+ ) {
+ this.onkostarApi = onkostarApi;
+ this.permissionEvaluator = permissionEvaluator;
+
+ // Create proxied instance of DummyClass as done within Onkostar using Spring AOP
+ var dummyClass = new DummyClass(onkostarApi);
+ AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass);
+ FormBasedSecurityAspects securityAspects = new FormBasedSecurityAspects(this.permissionEvaluator);
+ factory.addAspect(securityAspects);
+ this.dummyClass = factory.getProxy();
+ }
+
+ @Test
+ void testShouldAllowSecuredMethodCallWithPatientParam() {
+ this.dummyClass.methodWithPatientParam(new Patient(onkostarApi));
+ verify(onkostarApi, times(1)).savePatient(any(Patient.class));
+ }
+
+ @Test
+ void testShouldPreventSecuredMethodCallWithProcedureParam() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+ .thenReturn(false);
+
+ var exception = assertThrows(
+ Exception.class,
+ () -> this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi))
+ );
+ assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+ }
+
+ @Test
+ void testShouldAllowSecuredMethodCallWithProcedureParam() throws Exception {
+ when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+ .thenReturn(true);
+
+ this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi));
+
+ verify(onkostarApi, times(1)).saveProcedure(any(Procedure.class), anyBoolean());
+ }
+
+ @Test
+ void testShouldAllowSecuredMethodCallWithPatientReturnValue() {
+ var actual = this.dummyClass.methodWithPatientReturnValue(1);
+ assertThat(actual).isNotNull();
+ }
+
+ @Test
+ void testShouldPreventSecuredMethodCallWithProcedureReturnValue() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+ .thenReturn(false);
+
+ var exception = assertThrows(
+ Exception.class,
+ () -> this.dummyClass.methodWithProcedureReturnValue(1)
+ );
+ assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+ }
+
+ @Test
+ void testShouldAllowSecuredMethodCallWithProcedureReturnValue() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+ .thenReturn(true);
+
+ var actual = this.dummyClass.methodWithProcedureReturnValue(1);
+
+ assertThat(actual).isNotNull();
+ }
+
+ private static class DummyClass {
+
+ private final IOnkostarApi onkostarApi;
+
+ DummyClass(final IOnkostarApi onkostarApi) {
+ this.onkostarApi = onkostarApi;
+ }
+
+ @FormSecured
+ public void methodWithPatientParam(Patient patient) {
+ this.onkostarApi.savePatient(patient);
+ }
+
+ @FormSecured
+ public void methodWithProcedureParam(Procedure procedure) throws Exception {
+ this.onkostarApi.saveProcedure(procedure, false);
+ }
+
+ @FormSecuredResult
+ public Patient methodWithPatientReturnValue(int id) {
+ var patient = new Patient(this.onkostarApi);
+ patient.setId(id);
+ return patient;
+ }
+
+ @FormSecuredResult
+ public Procedure methodWithProcedureReturnValue(int id) {
+ var procedure = new Procedure(this.onkostarApi);
+ procedure.setId(id);
+ return procedure;
+ }
+ }
+
+}
diff --git a/src/test/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluatorTest.java b/src/test/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluatorTest.java
new file mode 100644
index 0000000..a5f39e3
--- /dev/null
+++ b/src/test/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluatorTest.java
@@ -0,0 +1,160 @@
+package dev.dnpm.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.core.Authentication;
+
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class PersonPoolBasedPermissionEvaluatorTest {
+
+ private IOnkostarApi onkostarApi;
+
+ private Authentication dummyAuthentication;
+
+ private PersonPoolBasedPermissionEvaluator permissionEvaluator;
+
+ @BeforeEach
+ void setup(
+ @Mock IOnkostarApi onkostarApi,
+ @Mock SecurityService securityService,
+ @Mock DummyAuthentication dummyAuthentication
+ ) {
+ this.onkostarApi = onkostarApi;
+ this.dummyAuthentication = dummyAuthentication;
+
+ this.permissionEvaluator = new PersonPoolBasedPermissionEvaluator(
+ onkostarApi, securityService
+ );
+
+ when(securityService.getPersonPoolIdsForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("Pool2", "Pool3", "Pool5"));
+ }
+
+ @Test
+ void testShouldGrantPermissionByPatientObject() {
+ var object = new Patient(onkostarApi);
+ object.setPersonPoolCode("Pool2");
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldGrantPermissionByPatientIdAndType() {
+ doAnswer(invocationOnMock -> {
+ var object = new Patient(onkostarApi);
+ object.setPersonPoolCode("Pool2");
+ return object;
+ }).when(onkostarApi).getPatient(anyInt());
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PATIENT, PermissionType.READ);
+
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldDenyPermissionByPatientObject() {
+ var object = new Patient(onkostarApi);
+ object.setPersonPoolCode("Pool1");
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+
+ assertThat(actual).isFalse();
+ }
+
+ @Test
+ void testShouldDenyPermissionByPatientIdAndType() {
+ doAnswer(invocationOnMock -> {
+ var object = new Patient(onkostarApi);
+ object.setPersonPoolCode("Pool1");
+ return object;
+ }).when(onkostarApi).getPatient(anyInt());
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PATIENT, PermissionType.READ);
+
+ assertThat(actual).isFalse();
+ }
+
+ @Test
+ void testShouldGrantPermissionByProcedureObject() {
+ var patient = new Patient(onkostarApi);
+ patient.setId(1);
+ patient.setPersonPoolCode("Pool2");
+
+ var object = new Procedure(onkostarApi);
+ object.setFormName("OS.Form1");
+ object.setPatient(patient);
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldGrantPermissionByProcedureIdAndType() {
+ doAnswer(invocationOnMock -> {
+ var patient = new Patient(onkostarApi);
+ patient.setId(1);
+ patient.setPersonPoolCode("Pool2");
+
+ var object = new Procedure(onkostarApi);
+ object.setFormName("OS.Form1");
+ object.setPatient(patient);
+
+ return object;
+ }).when(onkostarApi).getProcedure(anyInt());
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 456, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ);
+
+ assertThat(actual).isTrue();
+ }
+
+ @Test
+ void testShouldDenyPermissionByProcedureObject() {
+ var patient = new Patient(onkostarApi);
+ patient.setId(1);
+ patient.setPersonPoolCode("Pool1");
+
+ var object = new Procedure(onkostarApi);
+ object.setFormName("OS.Form1");
+ object.setPatient(patient);
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ);
+
+ assertThat(actual).isFalse();
+ }
+
+ @Test
+ void testShouldDenyPermissionByProcedureIdAndType() {
+ doAnswer(invocationOnMock -> {
+ var patient = new Patient(onkostarApi);
+ patient.setId(1);
+ patient.setPersonPoolCode("Pool1");
+
+ var object = new Procedure(onkostarApi);
+ object.setFormName("OS.Form1");
+ object.setPatient(patient);
+
+ return object;
+ }).when(onkostarApi).getProcedure(anyInt());
+
+ var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ);
+
+ assertThat(actual).isFalse();
+ }
+
+} \ No newline at end of file
diff --git a/src/test/java/dev/dnpm/security/PersonPoolBasedSecurityAspectsTest.java b/src/test/java/dev/dnpm/security/PersonPoolBasedSecurityAspectsTest.java
new file mode 100644
index 0000000..333a8f3
--- /dev/null
+++ b/src/test/java/dev/dnpm/security/PersonPoolBasedSecurityAspectsTest.java
@@ -0,0 +1,163 @@
+package dev.dnpm.security;
+
+import de.itc.onkostar.api.IOnkostarApi;
+import de.itc.onkostar.api.Patient;
+import de.itc.onkostar.api.Procedure;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class PersonPoolBasedSecurityAspectsTest {
+
+ private DummyClass dummyClass;
+
+ private IOnkostarApi onkostarApi;
+
+ private PersonPoolBasedPermissionEvaluator permissionEvaluator;
+
+ @BeforeEach
+ void setup(
+ @Mock IOnkostarApi onkostarApi,
+ @Mock PersonPoolBasedPermissionEvaluator permissionEvaluator
+ ) {
+ this.onkostarApi = onkostarApi;
+ this.permissionEvaluator = permissionEvaluator;
+
+ // Create proxied instance of DummyClass as done within Onkostar using Spring AOP
+ var dummyClass = new DummyClass(onkostarApi);
+ AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass);
+ PersonPoolBasedSecurityAspects securityAspects = new PersonPoolBasedSecurityAspects(this.permissionEvaluator);
+ factory.addAspect(securityAspects);
+ this.dummyClass = factory.getProxy();
+ }
+
+ @Test
+ void testShouldPreventSecuredMethodCallWithPatientParam() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+ .thenReturn(false);
+
+ var exception = assertThrows(
+ Exception.class,
+ () -> this.dummyClass.methodWithPatientParam(new Patient(onkostarApi))
+ );
+ assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+ }
+
+ @Test
+ void testShouldAllowSecuredMethodCallWithPatientParam() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+ .thenReturn(true);
+
+ this.dummyClass.methodWithPatientParam(new Patient(onkostarApi));
+
+ verify(onkostarApi, times(1)).savePatient(any(Patient.class));
+ }
+
+ @Test
+ void testShouldPreventSecuredMethodCallWithProcedureParam() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+ .thenReturn(false);
+
+ var exception = assertThrows(
+ Exception.class,
+ () -> this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi))
+ );
+ assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+ }
+
+ @Test
+ void testShouldAllowSecuredMethodCallWithProcedureParam() throws Exception {
+ when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+ .thenReturn(true);
+
+ this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi));
+
+ verify(onkostarApi, times(1)).saveProcedure(any(Procedure.class), anyBoolean());
+ }
+
+ @Test
+ void testShouldPreventSecuredMethodCallWithPatientReturnValue() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+ .thenReturn(false);
+
+ var exception = assertThrows(
+ Exception.class,
+ () -> this.dummyClass.methodWithPatientReturnValue(1)
+ );
+ assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+ }
+
+ @Test
+ void testShouldAllowSecuredMethodCallWithPatientReturnValue() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+ .thenReturn(true);
+
+ var actual = this.dummyClass.methodWithPatientReturnValue(1);
+
+ assertThat(actual).isNotNull();
+ }
+
+ @Test
+ void testShouldPreventSecuredMethodCallWithProcedureReturnValue() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+ .thenReturn(false);
+
+ var exception = assertThrows(
+ Exception.class,
+ () -> this.dummyClass.methodWithProcedureReturnValue(1)
+ );
+ assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
+ }
+
+ @Test
+ void testShouldAllowSecuredMethodCallWithProcedureReturnValue() {
+ when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
+ .thenReturn(true);
+
+ var actual = this.dummyClass.methodWithProcedureReturnValue(1);
+
+ assertThat(actual).isNotNull();
+ }
+
+ private static class DummyClass {
+
+ private final IOnkostarApi onkostarApi;
+
+ DummyClass(final IOnkostarApi onkostarApi) {
+ this.onkostarApi = onkostarApi;
+ }
+
+ @PersonPoolSecured
+ public void methodWithPatientParam(Patient patient) {
+ this.onkostarApi.savePatient(patient);
+ }
+
+ @PersonPoolSecured
+ public void methodWithProcedureParam(Procedure procedure) throws Exception {
+ this.onkostarApi.saveProcedure(procedure, false);
+ }
+
+ @PersonPoolSecuredResult
+ public Patient methodWithPatientReturnValue(int id) {
+ var patient = new Patient(this.onkostarApi);
+ patient.setId(id);
+ return patient;
+ }
+
+ @PersonPoolSecuredResult
+ public Procedure methodWithProcedureReturnValue(int id) {
+ var procedure = new Procedure(this.onkostarApi);
+ procedure.setId(id);
+ return procedure;
+ }
+ }
+
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-01 12:19:12 +0000