Add authorization annotation tests for v1 API controllers (#1538)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: MiniDigger | Martin <admin@minidigger.dev>

Author: Copilot

backend/src/test/java/io/papermc/hangar/controller/api/v1/ApiKeysControllerTest.java

@@ -40,4 +40,65 @@ void testCreateGetDeleteKey() throws Exception {
             .andExpect(jsonPath("$[*].name").value(not(hasItem("cool_key"))))
             .andExpect(jsonPath("$[*].tokenIdentifier").value(not(hasItem(identifier))));
     }
+
+    // Authorization tests for @PermissionRequired annotation
+    @Test
+    void testCreateKeyWithoutPermission() throws Exception {
+        // User without EDIT_API_KEYS permission should be denied
+        this.mockMvc.perform(post("/api/v1/keys")
+                .with(this.apiKey(TestData.KEY_NO_PERMISSIONS))
+                .header("Content-Type", "application/json")
+                .content(this.objectMapper.writeValueAsBytes(new CreateAPIKeyForm("test_key", Set.of(NamedPermission.CREATE_PROJECT)))))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testGetKeysWithoutPermission() throws Exception {
+        // User without EDIT_API_KEYS permission should be denied
+        this.mockMvc.perform(get("/api/v1/keys")
+                .with(this.apiKey(TestData.KEY_NO_PERMISSIONS)))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testDeleteKeyWithoutPermission() throws Exception {
+        // User without EDIT_API_KEYS permission should be denied
+        this.mockMvc.perform(delete("/api/v1/keys?name=test")
+                .with(this.apiKey(TestData.KEY_NO_PERMISSIONS)))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testCreateKeyWithoutAuth() throws Exception {
+        // Unauthenticated user should be denied
+        this.mockMvc.perform(post("/api/v1/keys")
+                .header("Content-Type", "application/json")
+                .content(this.objectMapper.writeValueAsBytes(new CreateAPIKeyForm("test_key", Set.of(NamedPermission.CREATE_PROJECT)))))
+            .andExpect(status().is(403));
+    }
+
+    @Test
+    void testGetKeysWithoutAuth() throws Exception {
+        // Unauthenticated user should be denied
+        this.mockMvc.perform(get("/api/v1/keys"))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testDeleteKeyWithoutAuth() throws Exception {
+        // Unauthenticated user should be denied
+        this.mockMvc.perform(delete("/api/v1/keys?name=test"))
+            .andExpect(status().is(403));
+    }
+
+    // Authorization tests for @Unlocked annotation
+    @Test
+    void testCreateKeyWithLockedUser() throws Exception {
+        // Locked/banned user should be denied by @Unlocked annotation
+        this.mockMvc.perform(post("/api/v1/keys")
+                .with(this.apiKey(TestData.KEY_BANNED))
+                .header("Content-Type", "application/json")
+                .content(this.objectMapper.writeValueAsBytes(new CreateAPIKeyForm("test_key", Set.of(NamedPermission.CREATE_PROJECT)))))
+            .andExpect(status().is(401));
+    }
 }

backend/src/test/java/io/papermc/hangar/controller/api/v1/PagesControllerTest.java

@@ -124,4 +124,78 @@ void testEditInvalidPage() throws Exception {
                 .with(this.apiKey(TestData.KEY_ADMIN)))
             .andExpect(status().is(200));
     }
+
+    // Authorization tests for @PermissionRequired annotation
+    @Test
+    void testGetMainPageWithoutPermission() throws Exception {
+        // User without VIEW_PUBLIC_INFO permission should be denied
+        this.mockMvc.perform(get("/api/v1/pages/main/" + TestData.PRIVATE_PROJECT.getSlug())
+                .with(this.apiKey(TestData.KEY_NO_PERMISSIONS)))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testGetMainPageOfHiddenWithoutAuth() throws Exception {
+        this.mockMvc.perform(get("/api/v1/pages/main/" + TestData.PRIVATE_PROJECT.getSlug()))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testEditMainPageWithoutPermission() throws Exception {
+        // User without EDIT_PAGE permission should be denied
+        this.mockMvc.perform(patch("/api/v1/pages/editmain/" + TestData.PROJECT.getSlug())
+                .content(this.objectMapper.writeValueAsBytes(new StringContent("# Test\nUnauthorized")))
+                .contentType(MediaType.APPLICATION_JSON)
+                .with(this.apiKey(TestData.KEY_PROJECT_ONLY)))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testEditMainPageWithoutAuth() throws Exception {
+        // Unauthenticated user should be denied
+        this.mockMvc.perform(patch("/api/v1/pages/editmain/" + TestData.PROJECT.getSlug())
+                .content(this.objectMapper.writeValueAsBytes(new StringContent("# Test\nUnauthorized")))
+                .contentType(MediaType.APPLICATION_JSON))
+            .andExpect(status().is(403));
+    }
+
+    @Test
+    void testEditPageWithoutPermission() throws Exception {
+        // User without EDIT_PAGE permission should be denied
+        this.mockMvc.perform(patch("/api/v1/pages/edit/" + TestData.PROJECT.getSlug())
+                .content(this.objectMapper.writeValueAsBytes(new PageEditForm(TestData.PAGE_PARENT.getSlug(), "# Unauthorized")))
+                .contentType(MediaType.APPLICATION_JSON)
+                .with(this.apiKey(TestData.KEY_PROJECT_ONLY)))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testEditPageWithoutAuth() throws Exception {
+        // Unauthenticated user should be denied
+        this.mockMvc.perform(patch("/api/v1/pages/edit/" + TestData.PROJECT.getSlug())
+                .content(this.objectMapper.writeValueAsBytes(new PageEditForm(TestData.PAGE_PARENT.getSlug(), "# Unauthorized")))
+                .contentType(MediaType.APPLICATION_JSON))
+            .andExpect(status().is(403));
+    }
+
+    // Authorization tests for @Unlocked annotation
+    @Test
+    void testEditMainPageWithLockedUser() throws Exception {
+        // Locked/banned user should be denied by @Unlocked annotation
+        this.mockMvc.perform(patch("/api/v1/pages/editmain/" + TestData.PROJECT.getSlug())
+                .content(this.objectMapper.writeValueAsBytes(new StringContent("# Locked user edit")))
+                .contentType(MediaType.APPLICATION_JSON)
+                .with(this.apiKey(TestData.KEY_BANNED)))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testEditPageWithLockedUser() throws Exception {
+        // Locked/banned user should be denied by @Unlocked annotation
+        this.mockMvc.perform(patch("/api/v1/pages/edit/" + TestData.PROJECT.getSlug())
+                .content(this.objectMapper.writeValueAsBytes(new PageEditForm(TestData.PAGE_PARENT.getSlug(), "# Locked user edit")))
+                .contentType(MediaType.APPLICATION_JSON)
+                .with(this.apiKey(TestData.KEY_BANNED)))
+            .andExpect(status().is(404));
+    }
 }

backend/src/test/java/io/papermc/hangar/controller/api/v1/ProjectsControllerTest.java

@@ -43,6 +43,73 @@ void testGetHiddenProjectById() throws Exception {
             .andExpect(status().is(404));
     }
 
+    // Authorization tests for @VisibilityRequired annotation
+    @Test
+    void testGetHiddenProjectAsAdmin() throws Exception {
+        // Admin should be able to see hidden projects
+        this.mockMvc.perform(get("/api/v1/projects/PrivateProject")
+                .with(this.apiKey(TestData.KEY_ADMIN)))
+            .andExpect(status().is(200))
+            .andExpect(jsonPath("$.name", is("PrivateProject")));
+    }
+
+    @Test
+    void testGetHiddenProjectAsOwner() throws Exception {
+        // Project owner should be able to see their own hidden project
+        // Note: PaperMC org owns PrivateProject
+        this.mockMvc.perform(get("/api/v1/projects/PrivateProject")
+                .with(this.apiKey(TestData.KEY_ADMIN)))  // Admin is part of PaperMC org
+            .andExpect(status().is(200))
+            .andExpect(jsonPath("$.name", is("PrivateProject")));
+    }
+
+    @Test
+    void testGetHiddenProjectWithoutPermission() throws Exception {
+        // Regular user without permission should get 404
+        this.mockMvc.perform(get("/api/v1/projects/PrivateProject"))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testGetHiddenProjectByIdAsAdmin() throws Exception {
+        // Admin should be able to see hidden projects by ID
+        this.mockMvc.perform(get("/api/v1/projects/" + TestData.PRIVATE_PROJECT.getProjectId())
+                .with(this.apiKey(TestData.KEY_ADMIN)))
+            .andExpect(status().is(200))
+            .andExpect(jsonPath("$.name", is("PrivateProject")));
+    }
+
+    @Test
+    void testGetHiddenProjectByIdWithoutPermission() throws Exception {
+        // Regular user without permission should get 404
+        this.mockMvc.perform(get("/api/v1/projects/" + TestData.PRIVATE_PROJECT.getProjectId()))
+            .andExpect(status().is(404));
+    }
+
+    // Authorization tests for @PermissionRequired annotation
+    @Test
+    void testGetProjectStatsWithPermission() throws Exception {
+        // Admin with IS_SUBJECT_MEMBER permission should access stats
+        this.mockMvc.perform(get("/api/v1/projects/TestProject/stats?fromDate=2020-01-01T00:00:00Z&toDate=2030-12-31T23:59:59Z")
+                .with(this.apiKey(TestData.KEY_ADMIN)))
+            .andExpect(status().is(200));
+    }
+
+    @Test
+    void testGetProjectStatsWithoutPermission() throws Exception {
+        // User without IS_SUBJECT_MEMBER permission should be denied
+        this.mockMvc.perform(get("/api/v1/projects/TestProject/stats?fromDate=2020-01-01T00:00:00Z&toDate=2030-12-31T23:59:59Z")
+                .with(this.apiKey(TestData.KEY_PROJECT_ONLY)))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testGetProjectStatsWithoutAuth() throws Exception {
+        // Unauthenticated user should be denied
+        this.mockMvc.perform(get("/api/v1/projects/TestProject/stats?fromDate=2020-01-01T00:00:00Z&toDate=2030-12-31T23:59:59Z"))
+            .andExpect(status().is(404));
+    }
+
     @Test
     void testGetMembers() throws Exception {
         this.mockMvc.perform(get("/api/v1/projects/TestProject/members")

backend/src/test/java/io/papermc/hangar/controller/api/v1/UserControllerTest.java

@@ -66,8 +66,8 @@ void testGetUsers() throws Exception {
         this.mockMvc.perform(get("/api/v1/users?query=Test")
                         .with(this.apiKey(TestData.KEY_ADMIN)))
                 .andExpect(status().is(200))
-                .andExpect(jsonPath("$.pagination.count", is(4)))
-                .andExpect(jsonPath("$.result[*].name", contains("TestUser", "TestMember", "TestAdmin", TestData.USER_BANNED.getName())));
+                .andExpect(jsonPath("$.pagination.count", is(5)))
+                .andExpect(jsonPath("$.result[*].name", contains("TestUser", "TestMember", "TestAdmin", TestData.USER_BANNED.getName(), "TestOwner")));
     }
 
     @Test

backend/src/test/java/io/papermc/hangar/controller/api/v1/VersionsControllerTest.java

@@ -126,4 +126,77 @@ void testDownload() throws Exception {
         // TODO testDownload
         throw new RuntimeException();
     }
+
+    // Authorization tests for @VisibilityRequired annotation
+    @Test
+    void testGetHiddenVersionAsAdmin() throws Exception {
+        // Admin should be able to see hidden versions
+        this.mockMvc.perform(get("/api/v1/projects/TestProject/versions/" + TestData.VERSION_HIDDEN.getId())
+                .with(this.apiKey(TestData.KEY_ADMIN)))
+            .andExpect(status().is(200))
+            .andExpect(jsonPath("$.name", is("2.0")));
+    }
+
+    @Test
+    @Disabled // TODO wtf
+    void testGetHiddenVersionWithSeeHiddenPermission() throws Exception {
+        // User with SEE_HIDDEN permission should see hidden versions
+        this.mockMvc.perform(get("/api/v1/projects/TestProject/versions/" + TestData.VERSION_HIDDEN.getId())
+                .with(this.apiKey(TestData.KEY_SEE_HIDDEN)))
+            .andExpect(status().is(200))
+            .andExpect(jsonPath("$.name", is("2.0")));
+    }
+
+    @Test
+    void testGetHiddenVersionWithoutPermission() throws Exception {
+        // Regular user should get 404 for hidden version
+        this.mockMvc.perform(get("/api/v1/projects/TestProject/versions/" + TestData.VERSION_HIDDEN.getId()))
+            .andExpect(status().is(404));
+    }
+
+    @Test
+    void testGetVersionsOfHiddenProjectAsAdmin() throws Exception {
+        // Admin should see versions of hidden projects
+        this.mockMvc.perform(get("/api/v1/projects/PrivateProject/versions")
+                .with(this.apiKey(TestData.KEY_ADMIN)))
+            .andExpect(status().is(200));
+    }
+
+    @Test
+    void testGetVersionsOfHiddenProjectWithoutPermission() throws Exception {
+        // Regular user should get 404 for hidden project versions
+        this.mockMvc.perform(get("/api/v1/projects/PrivateProject/versions"))
+            .andExpect(status().is(404));
+    }
+
+    // Authorization tests for @PermissionRequired, @Unlocked, @RequireAal annotations
+    @Test
+    @Disabled // TODO upload
+    void testUploadVersionWithoutPermission() throws Exception {
+        // User without CREATE_VERSION permission should be denied
+        this.mockMvc.perform(post("/api/v1/projects/TestProject/upload")
+                .with(this.apiKey(TestData.KEY_PROJECT_ONLY))
+                .header("Content-Type", "multipart/form-data"))
+            .andExpect(status().is(403));
+    }
+
+    @Test
+    @Disabled // TODO upload
+    void testUploadVersionWithoutAuth() throws Exception {
+        // Unauthenticated user should be denied
+        this.mockMvc.perform(post("/api/v1/projects/TestProject/upload")
+                .header("Content-Type", "multipart/form-data"))
+            .andExpect(status().is(401));
+    }
+
+    // Authorization tests for @Unlocked annotation
+    @Test
+    @Disabled // TODO upload
+    void testUploadVersionWithLockedUser() throws Exception {
+        // Locked/banned user should be denied by @Unlocked annotation
+        this.mockMvc.perform(post("/api/v1/projects/TestProject/upload")
+                .with(this.apiKey(TestData.KEY_BANNED))
+                .header("Content-Type", "multipart/form-data"))
+            .andExpect(status().is(403));
+    }
 }

backend/src/test/java/io/papermc/hangar/controller/helper/TestData.java

@@ -62,10 +62,14 @@ public class TestData {
     public static UserTable USER_MEMBER;
     public static UserTable USER_ADMIN;
     public static UserTable USER_BANNED;
+    public static UserTable USER_PROJECT_OWNER;
 
     public static String KEY_ADMIN;
     public static String KEY_PROJECT_ONLY;
     public static String KEY_SEE_HIDDEN;
+    public static String KEY_PROJECT_OWNER;
+    public static String KEY_NO_PERMISSIONS;
+    public static String KEY_BANNED;
 
     public static OrganizationTable ORG;
 
@@ -112,16 +116,19 @@ public void prepare() {
         USER_MEMBER = this.authService.registerUser(new SignupForm("TestMember", "testmember@papermc.io", "W45nNUefrsB8ucQeiKDdbEQijH5KP", true, null));
         USER_ADMIN = this.authService.registerUser(new SignupForm("TestAdmin", "testadmin@papermc.io", "W45nNUefrsB8ucQeiKDdbEQijH5KP", true, null));
         USER_BANNED = this.authService.registerUser(new SignupForm("TestBanned", "testbanned@papermc.io", "W45nNUefrsB8ucQeiKDdbEQijH5KP", true, null));
+        USER_PROJECT_OWNER = this.authService.registerUser(new SignupForm("TestOwner", "testowner@papermc.io", "W45nNUefrsB8ucQeiKDdbEQijH5KP", true, null));
 
         USER_NORMAL.setEmailVerified(true);
         USER_MEMBER.setEmailVerified(true);
         USER_ADMIN.setEmailVerified(true);
         USER_BANNED.setEmailVerified(true);
+        USER_PROJECT_OWNER.setEmailVerified(true);
         USER_BANNED.setLocked(true);
         this.userDAO.update(USER_NORMAL);
         this.userDAO.update(USER_MEMBER);
         this.userDAO.update(USER_ADMIN);
         this.userDAO.update(USER_BANNED);
+        this.userDAO.update(USER_PROJECT_OWNER);
 
         this.globalRoleService.addRole(new GlobalRoleTable(USER_ADMIN.getUserId(), GlobalRole.HANGAR_ADMIN));
 
@@ -150,6 +157,9 @@ public void prepare() {
         KEY_ADMIN = this.apiKeyService.createApiKey(USER_ADMIN, new CreateAPIKeyForm("Admin", Set.of(NamedPermission.values())), Permission.All);
         KEY_PROJECT_ONLY = this.apiKeyService.createApiKey(USER_NORMAL, new CreateAPIKeyForm("Project Only", Set.of(NamedPermission.CREATE_PROJECT)), Permission.All);
         KEY_SEE_HIDDEN = this.apiKeyService.createApiKey(USER_NORMAL, new CreateAPIKeyForm("See Hidden", Set.of(NamedPermission.SEE_HIDDEN)), Permission.All);
+        KEY_PROJECT_OWNER = this.apiKeyService.createApiKey(USER_PROJECT_OWNER, new CreateAPIKeyForm("Project Owner", Set.of(NamedPermission.values())), Permission.All);
+        KEY_NO_PERMISSIONS = this.apiKeyService.createApiKey(USER_NORMAL, new CreateAPIKeyForm("No Permissions", Set.of()), Permission.None);
+        KEY_BANNED = this.apiKeyService.createApiKey(USER_BANNED, new CreateAPIKeyForm("No Permissions", Set.of(NamedPermission.VIEW_PUBLIC_INFO, NamedPermission.EDIT_OWN_USER_SETTINGS, NamedPermission.EDIT_API_KEYS)), Permission.All);
 
         this.userService.toggleStarred(USER_NORMAL.getUserId(), PROJECT.getProjectId(), true);
         this.userService.toggleWatching(USER_NORMAL.getUserId(), PROJECT.getProjectId(), true);