From cc27edc544cec1b892e7c224aec9e6e42342aa39 Mon Sep 17 00:00:00 2001 From: Paul-Christian Volkmer Date: Sat, 21 Sep 2024 22:10:24 +0200 Subject: refactor: use package name following Java guidelines --- ...DelegatingDataBasedPermissionEvaluatorTest.java | 122 +++++++++++++++ .../security/FormBasedPermissionEvaluatorTest.java | 112 ++++++++++++++ .../security/FormBasedSecurityAspectsTest.java | 131 +++++++++++++++++ .../PersonPoolBasedPermissionEvaluatorTest.java | 160 ++++++++++++++++++++ .../PersonPoolBasedSecurityAspectsTest.java | 163 +++++++++++++++++++++ 5 files changed, 688 insertions(+) create mode 100644 src/test/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluatorTest.java create mode 100644 src/test/java/dev/dnpm/security/FormBasedPermissionEvaluatorTest.java create mode 100644 src/test/java/dev/dnpm/security/FormBasedSecurityAspectsTest.java create mode 100644 src/test/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluatorTest.java create mode 100644 src/test/java/dev/dnpm/security/PersonPoolBasedSecurityAspectsTest.java (limited to 'src/test/java/dev/dnpm/security') diff --git a/src/test/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluatorTest.java b/src/test/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluatorTest.java new file mode 100644 index 0000000..c1e71db --- /dev/null +++ b/src/test/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluatorTest.java @@ -0,0 +1,122 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; + +import java.util.Collection; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.*; +import static org.mockito.Mockito.when; + +@ExtendWith(MockitoExtension.class) +class DelegatingDataBasedPermissionEvaluatorTest { + + private IOnkostarApi onkostarApi; + + private PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator; + + private FormBasedPermissionEvaluator formBasedPermissionEvaluator; + + private DelegatingDataBasedPermissionEvaluator delegatingDataBasedPermissionEvaluator; + + @BeforeEach + void setup( + @Mock IOnkostarApi onkostarApi, + @Mock PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator, + @Mock FormBasedPermissionEvaluator formBasedPermissionEvaluator + ) { + this.onkostarApi = onkostarApi; + this.personPoolBasedPermissionEvaluator = personPoolBasedPermissionEvaluator; + this.formBasedPermissionEvaluator = formBasedPermissionEvaluator; + + this.delegatingDataBasedPermissionEvaluator = new DelegatingDataBasedPermissionEvaluator( + List.of(personPoolBasedPermissionEvaluator, formBasedPermissionEvaluator) + ); + } + + @Test + void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByObject() { + when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true); + when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true); + + var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ); + + assertThat(actual).isTrue(); + } + + @Test + void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByIdAndType() { + when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true); + when(formBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true); + + var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ); + + assertThat(actual).isTrue(); + } + + @Test + void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByObject() { + when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true); + when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(false); + + var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ); + + assertThat(actual).isFalse(); + } + + @Test + void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByIdAndType() { + when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(false); + + var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ); + + assertThat(actual).isFalse(); + } + +} + +class DummyAuthentication implements Authentication { + @Override + public String getName() { + return "dummy"; + } + + @Override + public Collection getAuthorities() { + return null; + } + + @Override + public Object getCredentials() { + return null; + } + + @Override + public Object getDetails() { + return null; + } + + @Override + public Object getPrincipal() { + return null; + } + + @Override + public boolean isAuthenticated() { + return false; + } + + @Override + public void setAuthenticated(boolean b) throws IllegalArgumentException { + + } +} \ No newline at end of file diff --git a/src/test/java/dev/dnpm/security/FormBasedPermissionEvaluatorTest.java b/src/test/java/dev/dnpm/security/FormBasedPermissionEvaluatorTest.java new file mode 100644 index 0000000..2ce938f --- /dev/null +++ b/src/test/java/dev/dnpm/security/FormBasedPermissionEvaluatorTest.java @@ -0,0 +1,112 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.springframework.security.core.Authentication; + +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyInt; +import static org.mockito.Mockito.doAnswer; +import static org.mockito.Mockito.when; + +@ExtendWith(MockitoExtension.class) +class FormBasedPermissionEvaluatorTest { + + private IOnkostarApi onkostarApi; + + private Authentication dummyAuthentication; + + private SecurityService securityService; + + private FormBasedPermissionEvaluator permissionEvaluator; + + @BeforeEach + void setup( + @Mock IOnkostarApi onkostarApi, + @Mock SecurityService securityService, + @Mock DummyAuthentication dummyAuthentication + ) { + this.onkostarApi = onkostarApi; + this.dummyAuthentication = dummyAuthentication; + this.securityService = securityService; + + this.permissionEvaluator = new FormBasedPermissionEvaluator( + onkostarApi, securityService + ); + } + + @Test + void testShouldGrantPermissionByProcedure() { + when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5")); + + var object = new Procedure(onkostarApi); + object.setFormName("OS.Form2"); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ); + assertThat(actual).isTrue(); + } + + @Test + void testShouldGrantPermissionByProcedureId() { + when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5")); + + doAnswer(invocationOnMock -> { + var object = new Procedure(onkostarApi); + object.setFormName("OS.Form2"); + return object; + }).when(onkostarApi).getProcedure(anyInt()); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ); + assertThat(actual).isTrue(); + } + + @Test + void testShouldDenyPermissionByProcedure() { + when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5")); + + var object = new Procedure(onkostarApi); + object.setFormName("OS.Form1"); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ); + assertThat(actual).isFalse(); + } + + @Test + void testShouldDenyPermissionByProcedureId() { + when(securityService.getFormNamesForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("OS.Form2", "OS.Form3", "OS.Form5")); + + doAnswer(invocationOnMock -> { + var object = new Procedure(onkostarApi); + object.setFormName("OS.Form1"); + return object; + }).when(onkostarApi).getProcedure(anyInt()); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ); + assertThat(actual).isFalse(); + } + + @Test + void testShouldVoteForPermissionToPatient() { + var object = new Patient(onkostarApi); + object.setPersonPoolCode("Pool1"); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ); + assertThat(actual).isTrue(); + } + + @Test + void testShouldVoteForPermissionToIdOfTypeProcedure() { + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, FormBasedPermissionEvaluator.PATIENT, PermissionType.READ); + assertThat(actual).isTrue(); + } + +} diff --git a/src/test/java/dev/dnpm/security/FormBasedSecurityAspectsTest.java b/src/test/java/dev/dnpm/security/FormBasedSecurityAspectsTest.java new file mode 100644 index 0000000..ee57688 --- /dev/null +++ b/src/test/java/dev/dnpm/security/FormBasedSecurityAspectsTest.java @@ -0,0 +1,131 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.springframework.aop.aspectj.annotation.AspectJProxyFactory; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.*; + +@ExtendWith(MockitoExtension.class) +class FormBasedSecurityAspectsTest { + + private DummyClass dummyClass; + + private IOnkostarApi onkostarApi; + + private FormBasedPermissionEvaluator permissionEvaluator; + + @BeforeEach + void setup( + @Mock IOnkostarApi onkostarApi, + @Mock FormBasedPermissionEvaluator permissionEvaluator + ) { + this.onkostarApi = onkostarApi; + this.permissionEvaluator = permissionEvaluator; + + // Create proxied instance of DummyClass as done within Onkostar using Spring AOP + var dummyClass = new DummyClass(onkostarApi); + AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass); + FormBasedSecurityAspects securityAspects = new FormBasedSecurityAspects(this.permissionEvaluator); + factory.addAspect(securityAspects); + this.dummyClass = factory.getProxy(); + } + + @Test + void testShouldAllowSecuredMethodCallWithPatientParam() { + this.dummyClass.methodWithPatientParam(new Patient(onkostarApi)); + verify(onkostarApi, times(1)).savePatient(any(Patient.class)); + } + + @Test + void testShouldPreventSecuredMethodCallWithProcedureParam() { + when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class))) + .thenReturn(false); + + var exception = assertThrows( + Exception.class, + () -> this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi)) + ); + assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class); + } + + @Test + void testShouldAllowSecuredMethodCallWithProcedureParam() throws Exception { + when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class))) + .thenReturn(true); + + this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi)); + + verify(onkostarApi, times(1)).saveProcedure(any(Procedure.class), anyBoolean()); + } + + @Test + void testShouldAllowSecuredMethodCallWithPatientReturnValue() { + var actual = this.dummyClass.methodWithPatientReturnValue(1); + assertThat(actual).isNotNull(); + } + + @Test + void testShouldPreventSecuredMethodCallWithProcedureReturnValue() { + when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class))) + .thenReturn(false); + + var exception = assertThrows( + Exception.class, + () -> this.dummyClass.methodWithProcedureReturnValue(1) + ); + assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class); + } + + @Test + void testShouldAllowSecuredMethodCallWithProcedureReturnValue() { + when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class))) + .thenReturn(true); + + var actual = this.dummyClass.methodWithProcedureReturnValue(1); + + assertThat(actual).isNotNull(); + } + + private static class DummyClass { + + private final IOnkostarApi onkostarApi; + + DummyClass(final IOnkostarApi onkostarApi) { + this.onkostarApi = onkostarApi; + } + + @FormSecured + public void methodWithPatientParam(Patient patient) { + this.onkostarApi.savePatient(patient); + } + + @FormSecured + public void methodWithProcedureParam(Procedure procedure) throws Exception { + this.onkostarApi.saveProcedure(procedure, false); + } + + @FormSecuredResult + public Patient methodWithPatientReturnValue(int id) { + var patient = new Patient(this.onkostarApi); + patient.setId(id); + return patient; + } + + @FormSecuredResult + public Procedure methodWithProcedureReturnValue(int id) { + var procedure = new Procedure(this.onkostarApi); + procedure.setId(id); + return procedure; + } + } + +} diff --git a/src/test/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluatorTest.java b/src/test/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluatorTest.java new file mode 100644 index 0000000..a5f39e3 --- /dev/null +++ b/src/test/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluatorTest.java @@ -0,0 +1,160 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.springframework.security.core.Authentication; + +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyInt; +import static org.mockito.Mockito.doAnswer; +import static org.mockito.Mockito.when; + +@ExtendWith(MockitoExtension.class) +class PersonPoolBasedPermissionEvaluatorTest { + + private IOnkostarApi onkostarApi; + + private Authentication dummyAuthentication; + + private PersonPoolBasedPermissionEvaluator permissionEvaluator; + + @BeforeEach + void setup( + @Mock IOnkostarApi onkostarApi, + @Mock SecurityService securityService, + @Mock DummyAuthentication dummyAuthentication + ) { + this.onkostarApi = onkostarApi; + this.dummyAuthentication = dummyAuthentication; + + this.permissionEvaluator = new PersonPoolBasedPermissionEvaluator( + onkostarApi, securityService + ); + + when(securityService.getPersonPoolIdsForPermission(any(Authentication.class), any(PermissionType.class))).thenReturn(List.of("Pool2", "Pool3", "Pool5")); + } + + @Test + void testShouldGrantPermissionByPatientObject() { + var object = new Patient(onkostarApi); + object.setPersonPoolCode("Pool2"); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ); + + assertThat(actual).isTrue(); + } + + @Test + void testShouldGrantPermissionByPatientIdAndType() { + doAnswer(invocationOnMock -> { + var object = new Patient(onkostarApi); + object.setPersonPoolCode("Pool2"); + return object; + }).when(onkostarApi).getPatient(anyInt()); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PATIENT, PermissionType.READ); + + assertThat(actual).isTrue(); + } + + @Test + void testShouldDenyPermissionByPatientObject() { + var object = new Patient(onkostarApi); + object.setPersonPoolCode("Pool1"); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ); + + assertThat(actual).isFalse(); + } + + @Test + void testShouldDenyPermissionByPatientIdAndType() { + doAnswer(invocationOnMock -> { + var object = new Patient(onkostarApi); + object.setPersonPoolCode("Pool1"); + return object; + }).when(onkostarApi).getPatient(anyInt()); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PATIENT, PermissionType.READ); + + assertThat(actual).isFalse(); + } + + @Test + void testShouldGrantPermissionByProcedureObject() { + var patient = new Patient(onkostarApi); + patient.setId(1); + patient.setPersonPoolCode("Pool2"); + + var object = new Procedure(onkostarApi); + object.setFormName("OS.Form1"); + object.setPatient(patient); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ); + + assertThat(actual).isTrue(); + } + + @Test + void testShouldGrantPermissionByProcedureIdAndType() { + doAnswer(invocationOnMock -> { + var patient = new Patient(onkostarApi); + patient.setId(1); + patient.setPersonPoolCode("Pool2"); + + var object = new Procedure(onkostarApi); + object.setFormName("OS.Form1"); + object.setPatient(patient); + + return object; + }).when(onkostarApi).getProcedure(anyInt()); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 456, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ); + + assertThat(actual).isTrue(); + } + + @Test + void testShouldDenyPermissionByProcedureObject() { + var patient = new Patient(onkostarApi); + patient.setId(1); + patient.setPersonPoolCode("Pool1"); + + var object = new Procedure(onkostarApi); + object.setFormName("OS.Form1"); + object.setPatient(patient); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, object, PermissionType.READ); + + assertThat(actual).isFalse(); + } + + @Test + void testShouldDenyPermissionByProcedureIdAndType() { + doAnswer(invocationOnMock -> { + var patient = new Patient(onkostarApi); + patient.setId(1); + patient.setPersonPoolCode("Pool1"); + + var object = new Procedure(onkostarApi); + object.setFormName("OS.Form1"); + object.setPatient(patient); + + return object; + }).when(onkostarApi).getProcedure(anyInt()); + + var actual = permissionEvaluator.hasPermission(this.dummyAuthentication, 123, PersonPoolBasedPermissionEvaluator.PROCEDURE, PermissionType.READ); + + assertThat(actual).isFalse(); + } + +} \ No newline at end of file diff --git a/src/test/java/dev/dnpm/security/PersonPoolBasedSecurityAspectsTest.java b/src/test/java/dev/dnpm/security/PersonPoolBasedSecurityAspectsTest.java new file mode 100644 index 0000000..333a8f3 --- /dev/null +++ b/src/test/java/dev/dnpm/security/PersonPoolBasedSecurityAspectsTest.java @@ -0,0 +1,163 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.springframework.aop.aspectj.annotation.AspectJProxyFactory; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.*; + +@ExtendWith(MockitoExtension.class) +class PersonPoolBasedSecurityAspectsTest { + + private DummyClass dummyClass; + + private IOnkostarApi onkostarApi; + + private PersonPoolBasedPermissionEvaluator permissionEvaluator; + + @BeforeEach + void setup( + @Mock IOnkostarApi onkostarApi, + @Mock PersonPoolBasedPermissionEvaluator permissionEvaluator + ) { + this.onkostarApi = onkostarApi; + this.permissionEvaluator = permissionEvaluator; + + // Create proxied instance of DummyClass as done within Onkostar using Spring AOP + var dummyClass = new DummyClass(onkostarApi); + AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass); + PersonPoolBasedSecurityAspects securityAspects = new PersonPoolBasedSecurityAspects(this.permissionEvaluator); + factory.addAspect(securityAspects); + this.dummyClass = factory.getProxy(); + } + + @Test + void testShouldPreventSecuredMethodCallWithPatientParam() { + when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))) + .thenReturn(false); + + var exception = assertThrows( + Exception.class, + () -> this.dummyClass.methodWithPatientParam(new Patient(onkostarApi)) + ); + assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class); + } + + @Test + void testShouldAllowSecuredMethodCallWithPatientParam() { + when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))) + .thenReturn(true); + + this.dummyClass.methodWithPatientParam(new Patient(onkostarApi)); + + verify(onkostarApi, times(1)).savePatient(any(Patient.class)); + } + + @Test + void testShouldPreventSecuredMethodCallWithProcedureParam() { + when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class))) + .thenReturn(false); + + var exception = assertThrows( + Exception.class, + () -> this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi)) + ); + assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class); + } + + @Test + void testShouldAllowSecuredMethodCallWithProcedureParam() throws Exception { + when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class))) + .thenReturn(true); + + this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi)); + + verify(onkostarApi, times(1)).saveProcedure(any(Procedure.class), anyBoolean()); + } + + @Test + void testShouldPreventSecuredMethodCallWithPatientReturnValue() { + when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))) + .thenReturn(false); + + var exception = assertThrows( + Exception.class, + () -> this.dummyClass.methodWithPatientReturnValue(1) + ); + assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class); + } + + @Test + void testShouldAllowSecuredMethodCallWithPatientReturnValue() { + when(this.permissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))) + .thenReturn(true); + + var actual = this.dummyClass.methodWithPatientReturnValue(1); + + assertThat(actual).isNotNull(); + } + + @Test + void testShouldPreventSecuredMethodCallWithProcedureReturnValue() { + when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class))) + .thenReturn(false); + + var exception = assertThrows( + Exception.class, + () -> this.dummyClass.methodWithProcedureReturnValue(1) + ); + assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class); + } + + @Test + void testShouldAllowSecuredMethodCallWithProcedureReturnValue() { + when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class))) + .thenReturn(true); + + var actual = this.dummyClass.methodWithProcedureReturnValue(1); + + assertThat(actual).isNotNull(); + } + + private static class DummyClass { + + private final IOnkostarApi onkostarApi; + + DummyClass(final IOnkostarApi onkostarApi) { + this.onkostarApi = onkostarApi; + } + + @PersonPoolSecured + public void methodWithPatientParam(Patient patient) { + this.onkostarApi.savePatient(patient); + } + + @PersonPoolSecured + public void methodWithProcedureParam(Procedure procedure) throws Exception { + this.onkostarApi.saveProcedure(procedure, false); + } + + @PersonPoolSecuredResult + public Patient methodWithPatientReturnValue(int id) { + var patient = new Patient(this.onkostarApi); + patient.setId(id); + return patient; + } + + @PersonPoolSecuredResult + public Procedure methodWithProcedureReturnValue(int id) { + var procedure = new Procedure(this.onkostarApi); + procedure.setId(id); + return procedure; + } + } + +} -- cgit v1.2.3