[BAEL-5584] Article code (#12157)

2022-05-03 02:42:41 -03:00
parent 833e3f9e9f
commit 26d944ceaa
12 changed files with 410 additions and 0 deletions
@@ -0,0 +1,67 @@
+package com.baeldung.security.opa.controller;
+
+import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.ApplicationContext;
+import org.springframework.http.MediaType;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+// !!! NOTICE: Start OPA server before running this test class !!!
+@SpringBootTest
+@ActiveProfiles("test")
+class AccountControllerLiveTest {
+
+    @Autowired
+    ApplicationContext context;
+    WebTestClient rest;
+
+    @BeforeEach
+    public void setup() {
+        this.rest = WebTestClient.bindToApplicationContext(this.context)
+          .apply(springSecurity())
+          .configureClient()
+          .build();
+    }
+    
+
+    @Test
+    @WithMockUser(username = "user1", roles = { "account:read:0001"} )
+    void testGivenValidUser_thenSuccess() {
+        rest.get()
+         .uri("/account/0001")
+          .accept(MediaType.APPLICATION_JSON)
+          .exchange()
+          .expectStatus()
+          .is2xxSuccessful();
+    }
+
+    @Test
+    @WithMockUser(username = "user1", roles = { "account:read:0002"} )
+    void testGivenValidUser_thenUnauthorized() {
+        rest.get()
+         .uri("/account/0001")
+          .accept(MediaType.APPLICATION_JSON)
+          .exchange()
+          .expectStatus()
+          .isForbidden();
+    }
+    
+    @Test
+    @WithMockUser(username = "user1", roles = {} )
+    void testGivenNoAuthorities_thenForbidden() {
+        rest.get()
+          .uri("/account/0001")
+          .accept(MediaType.APPLICATION_JSON)
+          .exchange()
+          .expectStatus()
+          .isForbidden();
+    }
+    
+    
+}
@@ -0,0 +1,43 @@
+#
+# Simple authorization rule for accounts
+#
+# Assumes an input document with the following properties:
+#
+# resource: requested resource
+# method: request method
+# authorities: Granted authorities
+# headers: Request headers
+#
+package baeldung.auth.account
+
+# Not authorized by default
+default authorized = false
+
+# Authorize when there are no rules that deny access to the resource and
+# there's at least one rule allowing
+authorized = true {
+    count(deny) == 0
+    count(allow) > 0
+}
+
+# Allow access to /public
+allow["public"] {
+    regex.match("^/public/.*",input.uri)
+}
+
+# Account API requires authenticated user
+deny["account_api_authenticated"] {
+    regex.match("^/account/.*",input.uri)
+    regex.match("ANONYMOUS",input.principal)
+}
+
+# Authorize access to account if principal has
+# matching authority
+allow["account_api_authorized"] {
+    regex.match("^/account/.+",input.uri)
+    parts := split(input.uri,"/")
+    account := parts[2]
+    role := concat(":",[ "ROLE_account", "read", account] )
+    role == input.authorities[i]
+}
+