Splitting User info from Client Supplier

Breaking the user-specific information out of the ClientInfoSupplier.

Author: jeremiahjstacey

src/main/java/org/owasp/esapi/logging/appender/UserInfoSupplier.java

@@ -0,0 +1,59 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2019
+ */
+
+package org.owasp.esapi.logging.appender;
+
+import java.util.function.Supplier;
+
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.User;
+
+/**
+ * Supplier which can provide a String representing the client-side connection
+ * information.
+ */
+public class UserInfoSupplier implements Supplier<String> {
+    /** Default UserName string if the Authenticated user is null.*/
+    private static final String DEFAULT_USERNAME = "#ANONYMOUS#";
+    
+    /** Whether to log the user info from this instance. */
+    private boolean logUserInfo = true;
+    
+        @Override
+    public String get() {
+        // log user information - username:session@ipaddr
+        User user = ESAPI.authenticator().getCurrentUser();
+        
+        String userInfo = "";
+        if (logUserInfo) {
+            if (user == null) {
+                userInfo = DEFAULT_USERNAME;
+            } else {
+                userInfo = user.getAccountName();            
+            }
+        } 
+        
+        return userInfo;
+    }
+
+    /**
+     * Specify whether the instance should record the client info.
+     * 
+     * @param log {@code true} to record
+     */
+    public void setLogUserInfo(boolean log) {
+        this.logUserInfo = log;
+    }
+}

src/test/java/org/owasp/esapi/logging/appender/UserInfoSupplierTest.java

@@ -0,0 +1,95 @@
+package org.owasp.esapi.logging.appender;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.powermock.api.mockito.PowerMockito.mockStatic;
+import static org.powermock.api.mockito.PowerMockito.when;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestName;
+import org.junit.runner.RunWith;
+import org.mockito.ArgumentMatchers;
+import org.owasp.esapi.Authenticator;
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.Randomizer;
+import org.owasp.esapi.User;
+import org.powermock.core.classloader.annotations.PowerMockIgnore;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+@PrepareForTest({ESAPI.class})
+@PowerMockIgnore("javax.security.*") //Required since User extends javax.security.Principal
+public class UserInfoSupplierTest {
+	private static final String ESAPI_SESSION_ATTR = "ESAPI_SESSION";
+	
+	@Rule
+    public TestName testName = new TestName();
+	
+	private Authenticator mockAuth;
+	private User mockUser;
+	
+	@Before
+	public void before() throws Exception {
+		mockAuth =mock(Authenticator.class); 
+		mockUser =mock(User.class);
+		
+		mockStatic(ESAPI.class);
+		when(ESAPI.class, "authenticator").thenReturn(mockAuth);
+		
+		when(mockUser.getAccountName()).thenReturn(testName.getMethodName() + "-USER");
+		
+	     
+	    when(mockAuth.getCurrentUser()).thenReturn(mockUser);
+	}
+	
+	@Test
+	public void testHappyPath() throws Exception {
+		UserInfoSupplier uis = new UserInfoSupplier();
+		uis.setLogUserInfo(true);
+		String result = uis.get();
+		
+		assertEquals(testName.getMethodName() + "-USER", result);
+		
+		verify(mockAuth,times(1)).getCurrentUser();
+		verify(mockUser,times(1)).getAccountName();
+		
+		verifyNoMoreInteractions(mockAuth, mockUser);
+	}
+	
+	@Test
+	public void testLogUserOff() {
+		UserInfoSupplier uis = new UserInfoSupplier();
+		uis.setLogUserInfo(false);
+		String result = uis.get();
+		
+		assertTrue(result.isEmpty());
+		verify(mockAuth,times(1)).getCurrentUser();
+		
+		verifyNoMoreInteractions(mockAuth, mockUser);
+	}
+	
+	@Test
+	public void testLogUserNull() {
+		when(mockAuth.getCurrentUser()).thenReturn(null);
+		UserInfoSupplier uis = new UserInfoSupplier();
+		uis.setLogUserInfo(true);
+		String result = uis.get();
+		
+		assertEquals("#ANONYMOUS#", result);
+		
+		verify(mockAuth,times(1)).getCurrentUser();
+		
+		verifyNoMoreInteractions(mockAuth,  mockUser);
+	}
+	
+}