add junit tests to security of getTargetSecurityToken

Signed-off-by: Michael Hirsch <michael.hirsch@bosch-si.com>

hawkbit-repository/src/test/java/org/eclipse/hawkbit/AbstractIntegrationTest.java

@@ -48,6 +48,7 @@ import org.eclipse.hawkbit.repository.model.DistributionSetType;
 import org.eclipse.hawkbit.repository.model.SoftwareModuleType;
 import org.eclipse.hawkbit.repository.utils.RepositoryDataGenerator.DatabaseCleanupUtil;
 import org.eclipse.hawkbit.security.DosFilter;
+import org.eclipse.hawkbit.security.SystemSecurityContext;
 import org.eclipse.hawkbit.tenancy.TenantAware;
 import org.junit.After;
 import org.junit.AfterClass;
@@ -181,11 +182,10 @@ public abstract class AbstractIntegrationTest implements EnvironmentAware {
 
     @Autowired
     protected TenantAwareCacheManager cacheManager;
-    
+
     @Autowired
     protected TenantConfigurationManagement tenantConfigurationManagement;
 
-
     @Autowired
     protected RolloutManagement rolloutManagement;
 
@@ -198,6 +198,9 @@ public abstract class AbstractIntegrationTest implements EnvironmentAware {
     @Autowired
     protected RolloutRepository rolloutRepository;
 
+    @Autowired
+    protected SystemSecurityContext systemSecurityContext;
+
     protected MockMvc mvc;
 
     @Autowired

hawkbit-repository/src/test/java/org/eclipse/hawkbit/WithSpringAuthorityRule.java

@@ -160,19 +160,23 @@ public class WithSpringAuthorityRule implements TestRule {
     }
 
     public static WithUser withUser(final String principal, final String... authorities) {
-        return withUserAndTenant(principal, "default", true, authorities);
+        return withUserAndTenant(principal, "default", true, true, authorities);
+    }
+    
+    public static WithUser withUser(final String principal, final boolean allSpPermision, final String... authorities) {
+        return withUserAndTenant(principal, "default", true, allSpPermision, authorities);
     }
 
     public static WithUser withUser(final boolean autoCreateTenant) {
-        return withUserAndTenant("bumlux", "default", autoCreateTenant, new String[] {});
+        return withUserAndTenant("bumlux", "default", autoCreateTenant, true, new String[] {});
     }
 
     public static WithUser withUserAndTenant(final String principal, final String tenant, final String... authorities) {
-        return withUserAndTenant(principal, tenant, true, new String[] {});
+        return withUserAndTenant(principal, tenant, true, true, new String[] {});
     }
 
     public static WithUser withUserAndTenant(final String principal, final String tenant,
-            final boolean autoCreateTenant, final String... authorities) {
+            final boolean autoCreateTenant, final boolean allSpPermission, final String... authorities) {
         return new WithUser() {
 
             @Override
@@ -197,7 +201,7 @@ public class WithSpringAuthorityRule implements TestRule {
 
             @Override
             public boolean allSpPermissions() {
-                return true;
+                return allSpPermission;
             }
 
             @Override

hawkbit-repository/src/test/java/org/eclipse/hawkbit/repository/TargetManagementTest.java

@@ -32,6 +32,7 @@ import org.eclipse.hawkbit.AbstractIntegrationTest;
 import org.eclipse.hawkbit.TestDataUtil;
 import org.eclipse.hawkbit.WithSpringAuthorityRule;
 import org.eclipse.hawkbit.WithUser;
+import org.eclipse.hawkbit.im.authentication.SpPermission;
 import org.eclipse.hawkbit.repository.exception.EntityAlreadyExistsException;
 import org.eclipse.hawkbit.repository.exception.TenantNotExistException;
 import org.eclipse.hawkbit.repository.model.Action;
@@ -56,6 +57,36 @@ import ru.yandex.qatools.allure.annotations.Stories;
 @Stories("Target Management")
 public class TargetManagementTest extends AbstractIntegrationTest {
 
+    @Test
+    @Description("Ensures that retrieving the target security is only permitted with the necessary permissions.")
+    public void getTargetSecurityTokenOnlyWithCorrectPermission() throws Exception {
+        final Target createdTarget = targetManagement.createTarget(new Target("targetWithSecurityToken"));
+
+        // retrieve security token only with READ_TARGET_SEC_TOKEN permission
+        final String securityTokenWithReadPermission = securityRule.runAs(WithSpringAuthorityRule
+                .withUser("OnlyTargetReadPermission", false, SpPermission.READ_TARGET_SEC_TOKEN.toString()), () -> {
+                    return createdTarget.getSecurityToken();
+                });
+
+        // retrieve security token as system code execution
+        final String securityTokenAsSystemCode = systemSecurityContext.runAsSystem(() -> {
+            return createdTarget.getSecurityToken();
+        });
+
+        // retrieve security token without any permissions
+        final String securityTokenWithoutPermission = securityRule
+                .runAs(WithSpringAuthorityRule.withUser("NoPermission", false), () -> {
+                    return createdTarget.getSecurityToken();
+                });
+
+        assertThat(createdTarget.getSecurityToken()).isNotNull();
+        assertThat(securityTokenWithReadPermission).isNotNull();
+        assertThat(securityTokenAsSystemCode).isNotNull();
+
+        assertThat(securityTokenWithoutPermission).isNull();
+
+    }
+
     @Test
     @Description("Ensures that targets cannot be created e.g. in plug'n play scenarios when tenant does not exists.")
     @WithUser(tenantId = "tenantWhichDoesNotExists", allSpPermissions = true, autoCreateTenant = false)