• Example Search
• Project Search

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

• play-zhewbacca-master
  • src
    • main
      • scala
        • org
          • zalando
            • zhewbacca
              • SecurityRulesRepository.scala
              • SecurityRule.scala
              • AuthProvider.scala
              • Scope.scala
              • TokenInfoConverter.scala
              • OAuth2Token.scala
              • IAMClient.scala
              • RequestValidator.scala
              • SecurityFilter.scala
              • OAuth2AuthProvider.scala
              • TokenInfo.scala
              • metrics
                • PluggableMetrics.scala
                • NoOpPluggableMetrics.scala
              • AuthResult.scala
              • AlwaysPassAuthProvider.scala
    • test
      • resources
        • access-token-not-valid.json
        • token-with-missed-token-type.json
        • security_unknown-http-method.conf
        • security_no-scopes.conf
        • logback.xml
        • security_filter.conf
        • security_custom-security.conf
        • security_rules.conf
        • valid-token-with-client-id.json
        • not-a-json-at-all.json
        • security_pass-through.conf
        • security_commented.conf
        • valid-token-with-unknown-field.json
        • valid-token-with-uid-scope.json
      • scala
        • org
          • zalando
            • zhewbacca
              • SecurityRulesRepositorySpec.scala
              • TestingFilters.scala
              • TokenInfoConverterSpec.scala
              • OAuth2AuthProviderSpec.scala
              • SecurityRuleSpec.scala
              • AlwaysPassAuthProviderSpec.scala
              • OAuth2TokenSpec.scala
              • RequestValidatorSpec.scala
              • SecurityFilterSpec.scala
              • IAMClientSpec.scala
              • ScopeTestSpec.scala
  • scalastyle-config.xml
  • LICENSE
  • project
    • build.properties
    • plugins.sbt
  • MAINTAINERS
  • CONTRIBUTING.md
  • CHANGELOG.md
  • SECURITY.md
  • .travis.yml
  • README.md
  • build.sbt
  • .zappr.yaml
  • .gitignore

package org.zalando.zhewbacca

import org.specs2.mutable.Specification
import play.api.mvc._
import play.api.test.FakeRequest

import scala.concurrent.duration._
import scala.concurrent.{Await, Future}
import scala.concurrent.ExecutionContext.Implicits.global
class RequestValidatorSpec extends Specification {

  val testTokenInfo = TokenInfo("", Scope.Empty, "token type", "user uid", realm = "/employees")

  "Request Validator" should {
    "provide token information when token is valid" in {
      val authProvider = new AuthProvider {
        override def valid(token: Option[OAuth2Token], scope: Scope): Future[AuthResult] =
          Future.successful(AuthTokenValid(testTokenInfo))
      }

      val result = Await.result(RequestValidator.validate(Scope(Set("uid")), FakeRequest(), authProvider), 1.seconds)
      result must beEqualTo(Right(testTokenInfo))
    }

    "return HTTP status 401 (unauthorized) when token was not provided" in {
      val authProvider = new AuthProvider {
        override def valid(token: Option[OAuth2Token], scope: Scope): Future[AuthResult] =
          Future.successful(AuthTokenEmpty)
      }

      val result = Await.result(RequestValidator.validate(Scope(Set("uid")), FakeRequest(), authProvider), 1.seconds)
      result must beEqualTo(Left(Results.Unauthorized))
    }

    "return HTTP status 401 (unauthorized) when token is in valid" in {
      val authProvider = new AuthProvider {
        override def valid(token: Option[OAuth2Token], scope: Scope): Future[AuthResult] =
          Future.successful(AuthTokenInvalid)
      }

      val result = Await.result(RequestValidator.validate(Scope(Set("uid")), FakeRequest(), authProvider), 1.seconds)
      result must beEqualTo(Left(Results.Unauthorized))
    }

    "return HTTP status 401 (unauthorized) when Authorization provider has failed" in {
      val authProvider = new AuthProvider {
        override def valid(token: Option[OAuth2Token], scope: Scope): Future[AuthResult] =
          Future.failed(new RuntimeException)
      }

      val result = Await.result(RequestValidator.validate(Scope(Set("uid")), FakeRequest(), authProvider), 1.seconds)
      result must beEqualTo(Left(Results.Unauthorized))
    }

    "return HTTP status 403 (forbidden) in case insufficient scopes" in {
      val authProvider = new AuthProvider {
        override def valid(token: Option[OAuth2Token], scope: Scope): Future[AuthResult] =
          Future.successful(AuthTokenInsufficient)
      }

      val result = Await.result(RequestValidator.validate(Scope(Set("uid")), FakeRequest(), authProvider), 1.seconds)
      result must beEqualTo(Left(Results.Forbidden))
    }
  }
}