Search in sources :

Example 1 with ApiToken

use of org.hisp.dhis.security.apikey.ApiToken in project dhis2-core by dhis2.

the class ApiTokenAuthenticationTest method testExpiredToken.

@Test
void testExpiredToken() {
    final TokenAndKey tokenAndKey = createNewToken();
    final String key = tokenAndKey.key;
    final ApiToken apiToken = tokenAndKey.apiToken;
    apiToken.setExpire(System.currentTimeMillis() - 36000);
    assertEquals("Failed to authenticate API token, token has expired.", GET(URI, ApiTokenHeader(key)).error(HttpStatus.UNAUTHORIZED).getMessage());
}
Also used : ApiToken(org.hisp.dhis.security.apikey.ApiToken) DhisControllerWithApiTokenAuthTest(org.hisp.dhis.webapi.DhisControllerWithApiTokenAuthTest) Test(org.junit.jupiter.api.Test)

Example 2 with ApiToken

use of org.hisp.dhis.security.apikey.ApiToken in project dhis2-core by dhis2.

the class ApiTokenAuthenticationTest method testAllowedReferrerRule.

@Test
void testAllowedReferrerRule() {
    final TokenAndKey tokenAndKey = createNewToken();
    final String key = tokenAndKey.key;
    final ApiToken apiToken = tokenAndKey.apiToken;
    apiToken.addReferrerToAllowedList("https://one.io");
    apiTokenService.update(apiToken);
    assertEquals("Failed to authenticate API token, request http referrer is missing or not allowed.", GET(URI, ApiTokenHeader(key)).error(HttpStatus.UNAUTHORIZED).getMessage());
    apiToken.addReferrerToAllowedList("https://two.io");
    apiTokenService.update(apiToken);
    JsonUser user = GET(URI, ApiTokenHeader(key), Header("referer", "https://two.io")).content().as(JsonUser.class);
    assertEquals(adminUser.getUid(), user.getId());
}
Also used : JsonUser(org.hisp.dhis.webapi.json.domain.JsonUser) ApiToken(org.hisp.dhis.security.apikey.ApiToken) DhisControllerWithApiTokenAuthTest(org.hisp.dhis.webapi.DhisControllerWithApiTokenAuthTest) Test(org.junit.jupiter.api.Test)

Example 3 with ApiToken

use of org.hisp.dhis.security.apikey.ApiToken in project dhis2-core by dhis2.

the class ApiTokenAuthenticationTest method testAllowedIpRule.

@Test
void testAllowedIpRule() {
    final TokenAndKey tokenAndKey = createNewToken();
    final String key = tokenAndKey.key;
    final ApiToken apiToken = tokenAndKey.apiToken;
    apiToken.addIpToAllowedList("192.168.2.1");
    apiTokenService.update(apiToken);
    assertEquals("Failed to authenticate API token, request ip address is not allowed.", GET(URI, ApiTokenHeader(key)).error(HttpStatus.UNAUTHORIZED).getMessage());
    apiToken.addIpToAllowedList("127.0.0.1");
    apiTokenService.update(apiToken);
    JsonUser user = GET(URI, ApiTokenHeader(key)).content().as(JsonUser.class);
    assertEquals(adminUser.getUid(), user.getId());
}
Also used : JsonUser(org.hisp.dhis.webapi.json.domain.JsonUser) ApiToken(org.hisp.dhis.security.apikey.ApiToken) DhisControllerWithApiTokenAuthTest(org.hisp.dhis.webapi.DhisControllerWithApiTokenAuthTest) Test(org.junit.jupiter.api.Test)

Example 4 with ApiToken

use of org.hisp.dhis.security.apikey.ApiToken in project dhis2-core by dhis2.

the class ApiTokenControllerTest method testCantModifyKeyPatch.

@Test
void testCantModifyKeyPatch() {
    final ApiToken newToken = createNewEmptyToken();
    final HttpResponse patch = PATCH(ApiTokenSchemaDescriptor.API_ENDPOINT + "/{id}", newToken.getUid() + "?importReportMode=ERRORS", Body("[{'op':'replace','path':'/key','value':'MY NEW VALUE'}]"));
    final ApiToken afterPatched = apiTokenService.getWithUid(newToken.getUid());
    assertEquals(newToken.getKey(), afterPatched.getKey());
}
Also used : ApiToken(org.hisp.dhis.security.apikey.ApiToken) JsonApiToken(org.hisp.dhis.webapi.json.domain.JsonApiToken) DhisControllerConvenienceTest(org.hisp.dhis.webapi.DhisControllerConvenienceTest) Test(org.junit.jupiter.api.Test)

Example 5 with ApiToken

use of org.hisp.dhis.security.apikey.ApiToken in project dhis2-core by dhis2.

the class ApiTokenControllerTest method testCanModifyWithPut.

@Test
void testCanModifyWithPut() {
    final ApiToken newToken = createNewEmptyToken();
    final ApiToken apiToken1 = fetchAsEntity(newToken.getUid());
    apiToken1.addReferrerToAllowedList("http://hostname1.com");
    apiToken1.addMethodToAllowedList("GET");
    apiToken1.addIpToAllowedList("2.2.2.2");
    assertStatus(HttpStatus.OK, PUT(ApiTokenSchemaDescriptor.API_ENDPOINT + "/{id}", newToken.getUid() + "?importReportMode=ERRORS", Body(renderService.toJsonAsString(apiToken1))));
    final ApiToken apiToken2 = fetchAsEntity(newToken.getUid());
    assertTrue(apiToken2.getIpAllowedList().getAllowedIps().contains("2.2.2.2"));
    assertTrue(apiToken2.getMethodAllowedList().getAllowedMethods().contains("GET"));
    assertTrue(apiToken2.getRefererAllowedList().getAllowedReferrers().contains("http://hostname1.com"));
    apiToken2.getIpAllowedList().getAllowedIps().remove("2.2.2.2");
    apiToken2.getMethodAllowedList().getAllowedMethods().remove("GET");
    apiToken2.getRefererAllowedList().getAllowedReferrers().remove("http://hostname1.com");
    assertStatus(HttpStatus.OK, PUT(ApiTokenSchemaDescriptor.API_ENDPOINT + "/{id}", newToken.getUid() + "?importReportMode=ERRORS", Body(renderService.toJsonAsString(apiToken2))));
    final ApiToken apiToken3 = fetchAsEntity(newToken.getUid());
    assertFalse(apiToken3.getIpAllowedList().getAllowedIps().contains("2.2.2.2"));
    assertFalse(apiToken3.getMethodAllowedList().getAllowedMethods().contains("GET"));
    assertFalse(apiToken3.getRefererAllowedList().getAllowedReferrers().contains("http://hostname1.com"));
}
Also used : ApiToken(org.hisp.dhis.security.apikey.ApiToken) JsonApiToken(org.hisp.dhis.webapi.json.domain.JsonApiToken) DhisControllerConvenienceTest(org.hisp.dhis.webapi.DhisControllerConvenienceTest) Test(org.junit.jupiter.api.Test)

Aggregations

ApiToken (org.hisp.dhis.security.apikey.ApiToken)21 Test (org.junit.jupiter.api.Test)17 DhisControllerConvenienceTest (org.hisp.dhis.webapi.DhisControllerConvenienceTest)13 JsonApiToken (org.hisp.dhis.webapi.json.domain.JsonApiToken)13 DhisControllerWithApiTokenAuthTest (org.hisp.dhis.webapi.DhisControllerWithApiTokenAuthTest)4 JsonUser (org.hisp.dhis.webapi.json.domain.JsonUser)3 User (org.hisp.dhis.user.User)2 MetadataImportParams (org.hisp.dhis.dxf2.metadata.MetadataImportParams)1 WebMessage (org.hisp.dhis.dxf2.webmessage.WebMessage)1 ObjectReport (org.hisp.dhis.feedback.ObjectReport)1 CreateAccessDeniedException (org.hisp.dhis.hibernate.exception.CreateAccessDeniedException)1 JsonObject (org.hisp.dhis.jsontree.JsonObject)1 CurrentUser (org.hisp.dhis.user.CurrentUser)1 PostMapping (org.springframework.web.bind.annotation.PostMapping)1 ResponseBody (org.springframework.web.bind.annotation.ResponseBody)1