admin/cmc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

63. Test Brute force attack (#6)

Browse Source
This commit is contained in:
Art
2021-09-08 16:15:38 +03:00
parent f65fe530e5
commit 4fbf0712e2
2 changed files with 68 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
support-portal-backend/pom.xml
View File

@ -84,6 +84,13 @@
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
<scope>test</scope>
</dependency>
</dependencies> </dependencies>
<build> <build>

61
support-portal-backend/src/test/java/net/shyshkin/study/fullstack/supportportal/backend/controller/UserResourceTest.java
View File

@ -6,6 +6,7 @@ import net.shyshkin.study.fullstack.supportportal.backend.common.BaseUserTest;
import net.shyshkin.study.fullstack.supportportal.backend.domain.HttpResponse; import net.shyshkin.study.fullstack.supportportal.backend.domain.HttpResponse;
import net.shyshkin.study.fullstack.supportportal.backend.domain.User; import net.shyshkin.study.fullstack.supportportal.backend.domain.User;
import net.shyshkin.study.fullstack.supportportal.backend.domain.UserPrincipal; import net.shyshkin.study.fullstack.supportportal.backend.domain.UserPrincipal;
import net.shyshkin.study.fullstack.supportportal.backend.service.LoginAttemptService;
import net.shyshkin.study.fullstack.supportportal.backend.utility.JwtTokenProvider; import net.shyshkin.study.fullstack.supportportal.backend.utility.JwtTokenProvider;
import org.junit.jupiter.api.MethodOrderer; import org.junit.jupiter.api.MethodOrderer;
import org.junit.jupiter.api.Order; import org.junit.jupiter.api.Order;
@ -266,4 +267,64 @@ class UserResourceTest extends BaseUserTest {
log.debug("Token: {}", token); log.debug("Token: {}", token);
assertThat(token).isNull(); assertThat(token).isNull();
} }
@Test
@Order(60)
void loginUser_bruteForceDetectionTest() throws InterruptedException {
//given
User fakeUser = createRandomUser();
String correctPassword = fakeUser.getPassword().replace("{noop}", "");
String username = fakeUser.getUsername();
userRepository.save(fakeUser);
String wrongPassword = "wrongPass";
//when
User userLogin = User.builder()
.username(username)
.password(wrongPassword)
.build();
for (int i = 0; i < LoginAttemptService.MAX_ATTEMPTS; i++) {
var responseEntity = restTemplate.postForEntity("/user/login", userLogin, HttpResponse.class);
//then
log.debug("Response Entity: {}", responseEntity);
assertThat(responseEntity.getStatusCode()).isEqualTo(BAD_REQUEST);
assertThat(responseEntity.getBody())
.isNotNull()
.hasNoNullFieldsOrProperties()
.hasFieldOrPropertyWithValue("httpStatusCode", 400)
.hasFieldOrPropertyWithValue("httpStatus", BAD_REQUEST)
.hasFieldOrPropertyWithValue("reason", "BAD REQUEST")
.hasFieldOrPropertyWithValue("message", "USERNAME / PASSWORD INCORRECT. PLEASE TRY AGAIN");
}
for (int i = 0; i < 5; i++) {
if (i > 3) {
// Even correct password should not allow access to locked account
userLogin = User.builder()
.username(username)
.password(correctPassword)
.build();
}
var responseEntity = restTemplate.postForEntity("/user/login", userLogin, HttpResponse.class);
//then
log.debug("Response Entity: {}", responseEntity);
assertThat(responseEntity.getStatusCode()).isEqualTo(UNAUTHORIZED);
assertThat(responseEntity.getBody())
.isNotNull()
.hasNoNullFieldsOrProperties()
.hasFieldOrPropertyWithValue("httpStatusCode", 401)
.hasFieldOrPropertyWithValue("httpStatus", UNAUTHORIZED)
.hasFieldOrPropertyWithValue("reason", "UNAUTHORIZED")
.hasFieldOrPropertyWithValue("message", "YOUR ACCOUNT HAS BEEN LOCKED. PLEASE CONTACT ADMINISTRATION");
}
}
} }