Improve test cases and code coverage

Author: Sae126V

iam-login-service/src/main/java/it/infn/mw/iam/api/account/lockout/AccountLockoutController.java

@@ -39,7 +39,7 @@ public AccountLockoutController(IamAccountLoginLockoutRepository lockoutRepo) {
 
   @GetMapping("/iam/account/{uuid}/lockout")
   @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
-  public ResponseEntity<?> getLockoutStatus(@PathVariable String uuid) {
+  public ResponseEntity<Map<String, Object>> getLockoutStatus(@PathVariable String uuid) {
     Optional<IamAccountLoginLockout> lockout = lockoutRepo.findByAccountUuid(uuid);
 
     if (lockout.isPresent() && lockout.get().getSuspendedUntil() != null
@@ -54,7 +54,7 @@ public ResponseEntity<?> getLockoutStatus(@PathVariable String uuid) {
 
   @GetMapping("/iam/account/lockout/suspended")
   @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
-  public ResponseEntity<?> getAllSuspendedUsers() {
+  public ResponseEntity<List<String>> getAllSuspendedUsers() {
     List<String> suspendedUsers = lockoutRepo.findAllSuspendedUsers();
     return ResponseEntity.ok(suspendedUsers);
   }

iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/lockout/AccountLockoutControllerTests.java

@@ -0,0 +1,101 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.test.api.account.lockout;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.Mockito.when;
+
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.http.ResponseEntity;
+
+import it.infn.mw.iam.api.account.lockout.AccountLockoutController;
+import it.infn.mw.iam.persistence.model.IamAccount;
+import it.infn.mw.iam.persistence.model.IamAccountLoginLockout;
+import it.infn.mw.iam.persistence.repository.IamAccountLoginLockoutRepository;
+
+@ExtendWith(MockitoExtension.class)
+class AccountLockoutControllerTests {
+
+  @Mock
+  private IamAccountLoginLockoutRepository lockoutRepo;
+
+  private AccountLockoutController controller;
+  private IamAccount account;
+
+  @BeforeEach
+  void setup() {
+    controller = new AccountLockoutController(lockoutRepo);
+    account = new IamAccount();
+    account.setUuid("uuid-1");
+    account.setUsername("testuser");
+  }
+
+  @Test
+  void getLockoutStatusReturnsSuspended() {
+    IamAccountLoginLockout lockout = new IamAccountLoginLockout(account);
+    long future = System.currentTimeMillis() + 60_000;
+    lockout.setSuspendedUntil(new Date(future));
+    when(lockoutRepo.findByAccountUuid("uuid-1")).thenReturn(Optional.of(lockout));
+
+    ResponseEntity<Map<String, Object>> r = controller.getLockoutStatus("uuid-1");
+    assertEquals(true, r.getBody().get("suspended"));
+    assertEquals(future, r.getBody().get("suspendedUntil"));
+  }
+
+  @Test
+  void getLockoutStatusReturnsNotSuspendedWhenEmpty() {
+    when(lockoutRepo.findByAccountUuid("uuid-1")).thenReturn(Optional.empty());
+
+    ResponseEntity<Map<String, Object>> r = controller.getLockoutStatus("uuid-1");
+    assertEquals(false, r.getBody().get("suspended"));
+  }
+
+  @Test
+  void getLockoutStatusReturnsNotSuspendedWhenExpired() {
+    IamAccountLoginLockout lockout = new IamAccountLoginLockout(account);
+    lockout.setSuspendedUntil(new Date(System.currentTimeMillis() - 1_000));
+    when(lockoutRepo.findByAccountUuid("uuid-1")).thenReturn(Optional.of(lockout));
+
+    ResponseEntity<Map<String, Object>> r = controller.getLockoutStatus("uuid-1");
+    assertEquals(false, r.getBody().get("suspended"));
+  }
+
+  @Test
+  void getLockoutStatusReturnsNotSuspendedWhenNullSuspendedUntil() {
+    IamAccountLoginLockout lockout = new IamAccountLoginLockout(account);
+    when(lockoutRepo.findByAccountUuid("uuid-1")).thenReturn(Optional.of(lockout));
+
+    ResponseEntity<Map<String, Object>> r = controller.getLockoutStatus("uuid-1");
+    assertEquals(false, r.getBody().get("suspended"));
+  }
+
+  @Test
+  void getAllSuspendedUsersReturnsUuids() {
+    when(lockoutRepo.findAllSuspendedUsers()).thenReturn(List.of("uuid-a", "uuid-b"));
+
+    ResponseEntity<List<String>> r = controller.getAllSuspendedUsers();
+    assertEquals(2, r.getBody().size());
+  }
+}

iam-login-service/src/test/java/it/infn/mw/iam/test/authn/lockout/DefaultLoginLockoutServiceTests.java

@@ -145,7 +145,6 @@ void fullLifecycleSuspendSuspendDisable() {
     // Suspension expires again
     lockout.setSuspendedUntil(new Date(System.currentTimeMillis() - 1000));
     service.checkIamAccountLockout(USERNAME);
-
     // ROUND 3: 2 failures -> account disabled, row deleted
     service.recordFailedAttempt(USERNAME);
     service.recordFailedAttempt(USERNAME);
@@ -154,4 +153,44 @@ void fullLifecycleSuspendSuspendDisable() {
     verify(accountRepo).save(account);
     verify(lockoutRepo).delete(lockout);
   }
+
+  @Test
+  void checkLockoutNoRecordIsNoop() {
+    when(lockoutRepo.findByAccountUsername(USERNAME)).thenReturn(Optional.empty());
+    assertDoesNotThrow(() -> service.checkIamAccountLockout(USERNAME));
+  }
+
+  @Test
+  void recordFailedAttemptUnknownUserIsNoop() {
+    when(accountRepo.findByUsername(USERNAME)).thenReturn(Optional.empty());
+    service.recordFailedAttempt(USERNAME);
+    verify(lockoutRepo, never()).save(any());
+  }
+
+  @Test
+  void recordFailedAttemptInactiveAccountIsNoop() {
+    account.setActive(false);
+    when(accountRepo.findByUsername(USERNAME)).thenReturn(Optional.of(account));
+    service.recordFailedAttempt(USERNAME);
+    verify(lockoutRepo, never()).save(any());
+  }
+
+  @Test
+  void recordFailedAttemptWhileSuspendedIsNoop() {
+    IamAccountLoginLockout lockout = new IamAccountLoginLockout(account);
+    lockout.setSuspendedUntil(new Date(System.currentTimeMillis() + 60_000));
+    when(accountRepo.findByUsername(USERNAME)).thenReturn(Optional.of(account));
+    when(lockoutRepo.findByAccountUsername(USERNAME)).thenReturn(Optional.of(lockout));
+
+    service.recordFailedAttempt(USERNAME);
+    verify(lockoutRepo, never()).save(any());
+  }
+
+  @Test
+  void resetNoRowIsNoop() {
+    when(lockoutRepo.findByAccountUsername(USERNAME)).thenReturn(Optional.empty());
+    service.resetFailedAttempts(USERNAME);
+    verify(lockoutRepo, never()).delete(any());
+  }
+
 }

iam-login-service/src/test/java/it/infn/mw/iam/test/core/IamLocalAuthenticationProviderTests.java

@@ -99,4 +99,17 @@ void testWhenPreAuthenticatedThenAuthenticateSetFalseToAuthenticated() {
         // Verify that super.authenticate was not called
         verify(iamLocalAuthenticationProvider, never()).authenticate(any(UsernamePasswordAuthenticationToken.class));
     }
+
+  @Test
+  void resetCalledOnNonMfaSuccess() {
+        ExtendedAuthenticationToken token = new ExtendedAuthenticationToken("user", "cred");
+        token.setPreAuthenticated(true);
+        IamAccount account = newAccount("user");
+        when(accountRepo.findByUsername("user")).thenReturn(Optional.of(account));
+        when(iamTotpMfaService.isAuthenticatorAppActive(account)).thenReturn(false);
+
+        iamLocalAuthenticationProvider.authenticate(token);
+
+        verify(lockoutService).resetFailedAttempts("user");
+    }
 }

iam-login-service/src/test/java/it/infn/mw/iam/test/multi_factor_authentication/MultiFactorTotpCheckProviderTests.java

@@ -19,6 +19,9 @@
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 import java.util.Optional;
@@ -28,6 +31,7 @@
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
 import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.LockedException;
 
 import it.infn.mw.iam.api.account.multi_factor_authentication.IamTotpMfaService;
 import it.infn.mw.iam.authn.lockout.LoginLockoutService;
@@ -106,17 +110,34 @@ void authenticateThrowsBadCredentialsExceptionWhenTotpIsInvalid() {
 
     assertThrows(BadCredentialsException.class,
         () -> multiFactorTotpCheckProvider.authenticate(token));
+
+    verify(lockoutService).recordFailedAttempt("totp");
+    verify(lockoutService, never()).resetFailedAttempts(anyString());
   }
 
   @Test
-  void authenticateReturnsSuccessfulAuthenticationWhenTotpIsValid() {
+  void authenticateResetsLockoutWhenTotpIsValid() {
     IamAccount account = cloneAccount(TOTP_MFA_ACCOUNT);
     when(token.getName()).thenReturn("totp");
     when(token.getTotp()).thenReturn("123456");
     when(accountRepo.findByUsername("totp")).thenReturn(Optional.of(account));
     when(totpMfaService.verifyTotp(account, "123456")).thenReturn(true);
 
     assertNotNull(multiFactorTotpCheckProvider.authenticate(token));
+
+    verify(lockoutService).resetFailedAttempts("totp");
+    verify(lockoutService, never()).recordFailedAttempt(anyString());
+  }
+
+  @Test
+  void authenticateThrowsLockedExceptionWhenSuspended() {
+    when(token.getTotp()).thenReturn("123456");
+    when(token.getName()).thenReturn("locked");
+    doThrow(new LockedException("Suspended")).when(lockoutService).checkIamAccountLockout("locked");
+
+    assertThrows(LockedException.class,
+        () -> multiFactorTotpCheckProvider.authenticate(token));
+    verify(accountRepo, never()).findByUsername(anyString());
   }
 
   @Test