Add unit tests

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/logging/SMPMessageCode.java

@@ -43,13 +43,14 @@ public enum SMPMessageCode implements MessageCode {
     BUS_INVALID_XML("BUS-030", "Invalid XML for {}. Error: [{}]"),
 
     SEC_UNSECURED_LOGIN_ALLOWED("SEC-001", "Unsecure login is allowed, no authentication will be performed"),
-    SEC_USER_AUTHENTICATED("SEC-002", "User {} is authenticated with role {}."),
-    SEC_USER_NOT_EXISTS("SEC-003", "User {} not exists."),
-    SEC_INVALID_PASSWORD("SEC-004", "User {} has invalid password."),
-    SEC_USER_CERT_NOT_EXISTS("SEC-005", "User certificate {} not exists."),
-    SEC_USER_CERT_INVALID("SEC-006", "User certificate {} is invalid: {}."),
-    SEC_USER_NOT_AUTHENTICATED("SEC-007", "User {}. Reason: {}."),
-    SEC_USER_SUSPENDED("SEC-008", "User {} is temporarily suspended."),
+    SEC_USER_AUTHENTICATED("SEC-002", "User [{}] is authenticated with role [{}]."),
+    SEC_USER_NOT_EXISTS("SEC-003", "User [{}] not exists."),
+    SEC_INVALID_PASSWORD("SEC-004", "User [{}] has invalid password."),
+    SEC_USER_CERT_NOT_EXISTS("SEC-005", "User certificate [{}] not exists."),
+    SEC_USER_CERT_INVALID("SEC-006", "User certificate [{}] is invalid: [{}]."),
+    SEC_USER_NOT_AUTHENTICATED("SEC-007", "User [{}]. Reason: [{}]."),
+    SEC_USER_SUSPENDED("SEC-008", "User [{}] is temporarily suspended."),
+    SEC_INVALID_TOKEN("SEC-009", "User [{}] has invalid token value for token id: [{}]."),
 
 
     ;

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java

@@ -149,7 +149,7 @@ public class UIUserService extends UIServiceBase<DBUser, UserRO> {
     public DBUser updateUserPassword(Long authorizedUserId, Long userToUpdateId, String currentPassword, String newPassword) {
 
         Pattern pattern = configurationService.getPasswordPolicyRexExp();
-        if (!pattern.matcher(newPassword).matches()) {
+        if (pattern != null && !pattern.matcher(newPassword).matches()) {
             throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, "PasswordChange", configurationService.getPasswordPolicyValidationMessage());
         }
         DBUser dbAuthorizedUser = userDao.find(authorizedUserId);

smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java

@@ -35,7 +35,10 @@ import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.time.OffsetDateTime;
 import java.time.temporal.ChronoUnit;
-import java.util.*;
+import java.util.Calendar;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Optional;
 
 import static java.util.Locale.US;
 
@@ -125,8 +128,6 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
      */
     public Authentication authenticateByCertificateToken(PreAuthenticatedCertificatePrincipal principal) {
         LOG.info("authenticateByCertificateToken:" + principal.getName());
-        KeyStore truststore = truststoreService.getTrustStore();
-
         DBUser user;
         X509Certificate x509Certificate = principal.getCertificate();
         String userToken = principal.getName();
@@ -137,7 +138,7 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
                 truststoreService.validateCertificateWithTruststore(x509Certificate);
             } catch (CertificateException e) {
                 String message = "Certificate is not trusted!";
-                LOG.securityWarn(SMPMessageCode.SEC_USER_CERT_INVALID, userToken , message
+                LOG.securityWarn(SMPMessageCode.SEC_USER_CERT_INVALID, userToken, message
                         + " The cert chain is not in truststore or either subject regexp or allowed cert policies does not match");
                 throw new BadCredentialsException(message);
             }
@@ -238,7 +239,7 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
      */
     public void validateIfTokenIsSuspended(DBUser user) {
         if (user.getSequentialTokenLoginFailureCount() == null
-                || user.getSequentialTokenLoginFailureCount() < 0) {
+                || user.getSequentialTokenLoginFailureCount() < 1) {
             LOG.trace("User has no previous failed attempts");
             return;
         }
@@ -249,14 +250,17 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
         }
 
         if (user.getLastTokenFailedLoginAttempt() == null) {
-            LOG.warn("Access token [{}] has failed attempts [{}] but null last Failed login attempt!", user.getUsername(), user.getLastFailedLoginAttempt());
+            LOG.warn("Access token [{}] for user [{}] has failed attempts [{}] but null last Failed login attempt!",
+                    user.getAccessTokenIdentifier(), user.getUsername(), user.getLastFailedLoginAttempt());
             return;
         }
 
         // check if the last failed attempt is already expired. If yes just clear the attempts
-        if (configurationService.getAccessTokenLoginSuspensionTimeInSeconds() != null && configurationService.getAccessTokenLoginSuspensionTimeInSeconds() > 0
-                && ChronoUnit.SECONDS.between(OffsetDateTime.now(), user.getLastTokenFailedLoginAttempt()) > configurationService.getAccessTokenLoginSuspensionTimeInSeconds()) {
-            LOG.warn("User [{}] suspension is expired! Clear failed login attempts and last failed login attempt", user.getUsername());
+        if (configurationService.getAccessTokenLoginSuspensionTimeInSeconds() != null
+                && configurationService.getAccessTokenLoginSuspensionTimeInSeconds() > 0
+                && ChronoUnit.SECONDS.between(user.getLastTokenFailedLoginAttempt(), OffsetDateTime.now()) > configurationService.getAccessTokenLoginSuspensionTimeInSeconds()) {
+            LOG.info("User token [{}] for user [{}] suspension is expired! Clear failed login attempts and last failed login attempt",
+                    user.getAccessTokenIdentifier(), user.getUsername());
             user.setLastTokenFailedLoginAttempt(null);
             user.setSequentialTokenLoginFailureCount(0);
             mUserDao.update(user);
@@ -264,7 +268,8 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
         }
 
         if (user.getSequentialTokenLoginFailureCount() < configurationService.getAccessTokenLoginMaxAttempts()) {
-            LOG.warn("User [{}] failed login attempt [{}]! did not reach the max failed attempts [{}]", user.getUsername(), user.getSequentialTokenLoginFailureCount(), configurationService.getAccessTokenLoginMaxAttempts());
+            LOG.warn("User token [{}] for user [{}] failed login attempt [{}] did not reach the max failed attempts [{}]",
+                    user.getAccessTokenIdentifier(), user.getUsername(), user.getSequentialTokenLoginFailureCount(), configurationService.getAccessTokenLoginMaxAttempts());
             return;
         }
         if (configurationService.getAlertBeforeUserSuspendedAlertMoment() == AlertSuspensionMomentEnum.AT_LOGON) {
@@ -312,11 +317,11 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
             user.setLastTokenFailedLoginAttempt(null);
             mUserDao.update(user);
         } catch (java.lang.IllegalArgumentException ex) {
-            // password is not hashed;
+            // password is not hashed
             LOG.securityWarn(SMPMessageCode.SEC_INVALID_PASSWORD, ex, authenticationTokenId);
             throw new BadCredentialsException(LOGIN_FAILED_MESSAGE);
         }
-        // the webservice authentication with corresponding web-service authority;
+        // the webservice authentication with corresponding web-service authority
         SMPAuthority authority = SMPAuthority.getAuthorityByRoleName("WS_" + user.getRole());
         // the webservice authentication does not support session set the session secret is null!
         SMPUserDetails userDetails = new SMPUserDetails(user, null, Collections.singletonList(authority));
@@ -335,12 +340,8 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
         user.setSequentialTokenLoginFailureCount(user.getSequentialTokenLoginFailureCount() != null ? user.getSequentialTokenLoginFailureCount() + 1 : 1);
         user.setLastTokenFailedLoginAttempt(OffsetDateTime.now());
         mUserDao.update(user);
-        LOG.securityWarn(SMPMessageCode.SEC_INVALID_PASSWORD, user.getAccessTokenIdentifier());
+        LOG.securityWarn(SMPMessageCode.SEC_INVALID_TOKEN, user.getUsername(), user.getAccessTokenIdentifier());
 
-        user.setSequentialLoginFailureCount(user.getSequentialLoginFailureCount() != null ? user.getSequentialLoginFailureCount() + 1 : 1);
-        user.setLastFailedLoginAttempt(OffsetDateTime.now());
-        mUserDao.update(user);
-        LOG.securityWarn(SMPMessageCode.SEC_INVALID_PASSWORD, user.getUsername());
         if (user.getSequentialTokenLoginFailureCount() >= configurationService.getAccessTokenLoginMaxAttempts()) {
             LOG.info("User access token [{}] failed sequential attempt exceeded the max allowed attempts [{}]!", user.getAccessToken(), configurationService.getAccessTokenLoginMaxAttempts());
             alertService.alertCredentialsSuspended(user, CredentialTypeEnum.ACCESS_TOKEN);
@@ -353,10 +354,10 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
 
     @Override
     public boolean supports(Class<?> auth) {
-        LOG.info("Support authentication: " + auth);
+        LOG.info("Support authentication: [{}].", auth);
         boolean supportAuthentication = auth.equals(UsernamePasswordAuthenticationToken.class) || auth.equals(PreAuthenticatedAuthenticationToken.class);
         if (!supportAuthentication) {
-            LOG.warn("SMP does not support authentication type: " + auth);
+            LOG.warn("SMP does not support authentication type: [{}].", auth);
         }
         return supportAuthentication;
     }

smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java

@@ -184,7 +184,7 @@ public class SMPAuthenticationProviderForUI implements AuthenticationProvider {
         }
         // check if the last failed attempt is already expired. If yes just clear the attempts
         if (configurationService.getLoginSuspensionTimeInSeconds() != null && configurationService.getLoginSuspensionTimeInSeconds() > 0
-                && ChronoUnit.SECONDS.between(OffsetDateTime.now(), user.getLastFailedLoginAttempt()) > configurationService.getLoginSuspensionTimeInSeconds()) {
+                && ChronoUnit.SECONDS.between( user.getLastFailedLoginAttempt(),OffsetDateTime.now()) > configurationService.getLoginSuspensionTimeInSeconds()) {
             LOG.warn("User [{}] suspension is expired! Clear failed login attempts and last failed login attempt", user.getUsername());
             user.setLastFailedLoginAttempt(null);
             user.setSequentialLoginFailureCount(0);

smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/ui/ResourceConstants.java

@@ -20,6 +20,7 @@ public class ResourceConstants {
     public static final String CONTEXT_PATH_PUBLIC_SERVICE_METADATA = CONTEXT_PATH_PUBLIC + "service-metadata";
     public static final String CONTEXT_PATH_PUBLIC_SECURITY = CONTEXT_PATH_PUBLIC + "security";
     public static final String CONTEXT_PATH_PUBLIC_SECURITY_AUTHENTICATION = CONTEXT_PATH_PUBLIC_SECURITY + "/authentication";
+    public static final String CONTEXT_PATH_PUBLIC_SECURITY_USER = CONTEXT_PATH_PUBLIC_SECURITY + "/user";
 
     //internal
     public static final String CONTEXT_PATH_INTERNAL_ALERT = CONTEXT_PATH_INTERNAL + "alert";

smp-webapp/src/test/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUITest.java

+package eu.europa.ec.edelivery.smp.auth;
+
+import eu.europa.ec.edelivery.smp.data.dao.UserDao;
+import eu.europa.ec.edelivery.smp.data.model.DBUser;
+import eu.europa.ec.edelivery.smp.services.AlertService;
+import eu.europa.ec.edelivery.smp.services.CRLVerifierService;
+import eu.europa.ec.edelivery.smp.services.ConfigurationService;
+import eu.europa.ec.edelivery.smp.services.ui.UITruststoreService;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.springframework.core.convert.ConversionService;
+
+import java.time.OffsetDateTime;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.doReturn;
+
+public class SMPAuthenticationProviderForUITest {
+
+    UserDao mockUserDao = Mockito.mock(UserDao.class);
+    ConversionService mockConversionService = Mockito.mock(ConversionService.class);
+    CRLVerifierService mockCrlVerifierService = Mockito.mock(CRLVerifierService.class);
+    UITruststoreService mockTruststoreService = Mockito.mock(UITruststoreService.class);
+    ConfigurationService mockConfigurationService = Mockito.mock(ConfigurationService.class);
+    AlertService mocAlertService = Mockito.mock(AlertService.class);
+    SMPAuthenticationProviderForUI testInstance = new SMPAuthenticationProviderForUI(mockUserDao,
+            mockConversionService,
+            mockCrlVerifierService,
+            mocAlertService,
+            mockTruststoreService,
+            mockConfigurationService);
+
+    @Test
+    public void testValidateIfTokenIsSuspendedReset(){
+        int starFailCount = 5;
+        DBUser user = new DBUser();
+        user.setUsername("TestToken");
+        int suspensionSeconds =100;
+
+        user.setLastFailedLoginAttempt(OffsetDateTime.now().minusSeconds(suspensionSeconds+10));
+        user.setSequentialLoginFailureCount(starFailCount);
+        doReturn(suspensionSeconds).when(mockConfigurationService).getLoginSuspensionTimeInSeconds();
+        doReturn(starFailCount).when(mockConfigurationService).getLoginMaxAttempts();
+
+        testInstance.validateIfUserAccountIsSuspended(user);
+
+        assertEquals(0, (int)user.getSequentialLoginFailureCount());
+        assertEquals(null, user.getLastFailedLoginAttempt());
+    }
+}
\ No newline at end of file

smp-webapp/src/test/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderTest.java

@@ -2,6 +2,7 @@ package eu.europa.ec.edelivery.smp.auth;
 
 import eu.europa.ec.edelivery.smp.data.dao.UserDao;
 import eu.europa.ec.edelivery.smp.data.model.DBUser;
+import eu.europa.ec.edelivery.smp.data.ui.enums.CredentialTypeEnum;
 import eu.europa.ec.edelivery.smp.services.AlertService;
 import eu.europa.ec.edelivery.smp.services.CRLVerifierService;
 import eu.europa.ec.edelivery.smp.services.ConfigurationService;
@@ -15,12 +16,13 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.crypto.bcrypt.BCrypt;
 
+import java.time.OffsetDateTime;
 import java.util.Calendar;
 import java.util.Optional;
 
-import static org.junit.Assert.assertThat;
+import static org.junit.Assert.*;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.*;
 
 /**
  * @author Joze Rihtarsic
@@ -84,4 +86,55 @@ public class SMPAuthenticationProviderTest {
                 Matchers.lessThan(50L));
 
     }
+    @Test
+    public void testLoginAttemptForAccessTokenFailed(){
+        int starFailCount = 2;
+        DBUser user = new DBUser();
+        user.setSequentialTokenLoginFailureCount(starFailCount);
+        long starTime =Calendar.getInstance().getTimeInMillis();
+        doReturn(100).when(mockConfigurationService).getAccessTokenLoginMaxAttempts();
+        // when
+        BadCredentialsException error = assertThrows(BadCredentialsException.class,
+                () -> testInstance.loginAttemptForAccessTokenFailed(user,starTime));
+
+        assertEquals(SMPAuthenticationProvider.LOGIN_FAILED_MESSAGE, error.getMessage());
+        assertEquals(starFailCount+1,(int)user.getSequentialTokenLoginFailureCount());
+        verify(mocAlertService, times(1)).alertCredentialVerificationFailed(user, CredentialTypeEnum.ACCESS_TOKEN);
+
+    }
+
+    @Test
+    public void testLoginAttemptForAccessTokenSuspended(){
+        int starFailCount = 5;
+        DBUser user = new DBUser();
+        user.setSequentialTokenLoginFailureCount(starFailCount);
+        long starTime =Calendar.getInstance().getTimeInMillis();
+        doReturn(5).when(mockConfigurationService).getAccessTokenLoginMaxAttempts();
+        // when
+        BadCredentialsException error = assertThrows(BadCredentialsException.class,
+                () -> testInstance.loginAttemptForAccessTokenFailed(user,starTime));
+
+        assertEquals(SMPAuthenticationProvider.LOGIN_FAILED_MESSAGE, error.getMessage());
+        assertEquals(starFailCount+1,(int)user.getSequentialTokenLoginFailureCount());
+        verify(mocAlertService, times(1)).alertCredentialsSuspended(user, CredentialTypeEnum.ACCESS_TOKEN);
+    }
+
+    @Test
+    public void testValidateIfTokenIsSuspendedReset(){
+        int starFailCount = 5;
+        DBUser user = new DBUser();
+        user.setUsername("TestToken");
+        int suspensionSeconds =100;
+
+        user.setLastTokenFailedLoginAttempt(OffsetDateTime.now().minusSeconds(suspensionSeconds+10));
+        user.setSequentialTokenLoginFailureCount(starFailCount);
+        doReturn(suspensionSeconds).when(mockConfigurationService).getAccessTokenLoginSuspensionTimeInSeconds();
+        doReturn(starFailCount).when(mockConfigurationService).getAccessTokenLoginMaxAttempts();
+
+        testInstance.validateIfTokenIsSuspended(user);
+
+        assertEquals(0, (int)user.getSequentialTokenLoginFailureCount());
+        assertEquals(null, user.getLastTokenFailedLoginAttempt());
+    }
+
 }
\ No newline at end of file

smp-webapp/src/test/java/eu/europa/ec/edelivery/smp/test/testutils/MockMvcUtils.java

 package eu.europa.ec.edelivery.smp.test.testutils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import eu.europa.ec.edelivery.smp.data.ui.UserRO;
 import org.springframework.http.HttpHeaders;
 import org.springframework.mock.web.MockHttpSession;
@@ -31,17 +32,19 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @since 4.2
  */
 public class MockMvcUtils {
-    static ObjectMapper mapper = new ObjectMapper();
-
-    private static final String SYS_ADMIN_USERNAME = "sys_admin";
-    private static final String SYS_ADMIN_PASSWD = "test123";
-    private static final String SMP_ADMIN_USERNAME = "smp_admin";
-    private static final String SMP_ADMIN_PASSWD = "test123";
-    private static final String SG_USER_USERNAME = "sg_admin";
-    private static final String SG_USER_PASSWD = "test123";
-
-    private static final String SG_USER2_USERNAME = "test_user_hashed_pass";
-    private static final String SG_USER2_PASSWD = "test123";
+    static ObjectMapper mapper = new ObjectMapper(){{
+        registerModule(new JavaTimeModule());
+    }};
+
+    public static final String SYS_ADMIN_USERNAME = "sys_admin";
+    public static final String SYS_ADMIN_PASSWD = "test123";
+    public static final String SMP_ADMIN_USERNAME = "smp_admin";
+    public static final String SMP_ADMIN_PASSWD = "test123";
+    public static final String SG_USER_USERNAME = "sg_admin";
+    public static final String SG_USER_PASSWD = "test123";
+
+    public static final String SG_USER2_USERNAME = "test_user_hashed_pass";
+    public static final String SG_USER2_PASSWD = "test123";
 
 
     public static RequestPostProcessor getHttpBasicSystemAdminCredentials() {

smp-webapp/src/test/java/eu/europa/ec/edelivery/smp/ui/external/UserResourceIntegrationTest.java

 package eu.europa.ec.edelivery.smp.ui.external;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import eu.europa.ec.edelivery.smp.data.ui.CertificateRO;
-import eu.europa.ec.edelivery.smp.data.ui.DeleteEntityValidation;
-import eu.europa.ec.edelivery.smp.data.ui.ServiceResult;
-import eu.europa.ec.edelivery.smp.data.ui.UserRO;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import eu.europa.ec.edelivery.smp.data.ui.*;
 import eu.europa.ec.edelivery.smp.test.SmpTestWebAppConfig;
 import eu.europa.ec.edelivery.smp.ui.ResourceConstants;
 import org.junit.Before;
@@ -12,7 +10,6 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockHttpSession;
-import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.junit4.SpringRunner;
@@ -22,11 +19,10 @@ import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.web.context.WebApplicationContext;
 
 import javax.ws.rs.core.MediaType;
-import java.util.Arrays;
 import java.util.UUID;
 
 import static eu.europa.ec.edelivery.smp.test.testutils.MockMvcUtils.*;
-import static eu.europa.ec.edelivery.smp.ui.ResourceConstants.CONTEXT_PATH_INTERNAL_USER;
+import static eu.europa.ec.edelivery.smp.ui.ResourceConstants.CONTEXT_PATH_PUBLIC_SECURITY_USER;
 import static org.junit.Assert.*;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.context.jdbc.Sql.ExecutionPhase.BEFORE_TEST_METHOD;
@@ -57,28 +53,10 @@ public class UserResourceIntegrationTest {
 
     @Before
     public void setup() {
+        mapper.registerModule(new JavaTimeModule());
         mvc = initializeMockMvc(webAppContext);
     }
 
-    @Test
-    public void getUserList() throws Exception {
-        MockHttpSession session = loginWithSystemAdmin(mvc);
-        MvcResult result = mvc.perform(get(CONTEXT_PATH_INTERNAL_USER)
-                .session(session)
-                .with(csrf()))
-                .andExpect(status().isOk()).andReturn();
-        ServiceResult res = mapper.readValue(result.getResponse().getContentAsString(), ServiceResult.class);
-        // then
-        assertNotNull(res);
-        assertEquals(10, res.getServiceEntities().size());
-        res.getServiceEntities().forEach(sgMap -> {
-            UserRO sgro = mapper.convertValue(sgMap, UserRO.class);
-            assertNotNull(sgro.getUserId());
-            assertNotNull(sgro.getUsername());
-            assertNotNull(sgro.getRole());
-        });
-    }
-
     @Test
     public void testUpdateCurrentUserOK() throws Exception {
         // login
@@ -124,134 +102,55 @@ public class UserResourceIntegrationTest {
     }
 
     @Test
-    public void testUpdateUserList() throws Exception {
-        // given when
-        MockHttpSession session = loginWithSystemAdmin(mvc);
-
-        SecurityMockMvcRequestPostProcessors.CsrfRequestPostProcessor csrf = csrf();
-        MvcResult result = mvc.perform(get(CONTEXT_PATH_INTERNAL_USER)
-                .session(session)
-                .with(csrf))
-                .andExpect(status().isOk()).andReturn();
-        ServiceResult res = mapper.readValue(result.getResponse().getContentAsString(), ServiceResult.class);
-        assertNotNull(res);
-        assertFalse(res.getServiceEntities().isEmpty());
-        UserRO userRO = mapper.convertValue(res.getServiceEntities().get(0), UserRO.class);
-        // then
-        userRO.setActive(!userRO.isActive());
-        userRO.setEmailAddress("test@mail.com");
-        userRO.setPassword(UUID.randomUUID().toString());
-        if (userRO.getCertificate() == null) {
-            userRO.setCertificate(new CertificateRO());
-        }
-        userRO.getCertificate().setCertificateId(UUID.randomUUID().toString());
-
-        mvc.perform(put(CONTEXT_PATH_INTERNAL_USER)
-                .session(session)
-                .with(csrf)
-                .contentType(MediaType.APPLICATION_JSON)
-                .content(mapper.writeValueAsString(Arrays.asList(userRO)))
-        ).andExpect(status().isOk());
-    }
-
-    @Test
-    public void testUpdateUserListWrongAuthentication() throws Exception {
-        // given when
-        MockHttpSession session = loginWithSystemAdmin(mvc);
-        MvcResult result = mvc.perform(get(CONTEXT_PATH_INTERNAL_USER)
-                .session(session)
-                .with(csrf()))
-                .andExpect(status().isOk()).andReturn();
-        ServiceResult res = mapper.readValue(result.getResponse().getContentAsString(), ServiceResult.class);
-        assertNotNull(res);
-        assertFalse(res.getServiceEntities().isEmpty());
-        UserRO userRO = mapper.convertValue(res.getServiceEntities().get(0), UserRO.class);
-        // then
-        userRO.setActive(!userRO.isActive());
-        userRO.setEmailAddress("test@mail.com");
-        userRO.setPassword(UUID.randomUUID().toString());
-        if (userRO.getCertificate() == null) {
-            userRO.setCertificate(new CertificateRO());
-        }
-        userRO.getCertificate().setCertificateId(UUID.randomUUID().toString());
-        // anonymous
-        mvc.perform(put(CONTEXT_PATH_INTERNAL_USER)
-                .with(csrf())
-                .contentType(MediaType.APPLICATION_JSON)
-                .content(mapper.writeValueAsString(Arrays.asList(userRO)))
-        ).andExpect(status().isUnauthorized());
-
-        MockHttpSession sessionSMPAdmin = loginWithSMPAdmin(mvc);
-        mvc.perform(put(CONTEXT_PATH_INTERNAL_USER)
-                .session(sessionSMPAdmin)
-                .with(csrf())
-                .contentType(MediaType.APPLICATION_JSON)
-                .content(mapper.writeValueAsString(Arrays.asList(userRO)))
-        ).andExpect(status().isUnauthorized());
-
-        MockHttpSession sessionSGAdmin = loginWithServiceGroupUser(mvc);
-        mvc.perform(put(CONTEXT_PATH_INTERNAL_USER)
-                .session(sessionSGAdmin)
-                .with(csrf())
-                .contentType(MediaType.APPLICATION_JSON)
-                .content(mapper.writeValueAsString(Arrays.asList(userRO)))
-        ).andExpect(status().isUnauthorized());
-    }
-
-    @Test
-    public void testValidateDeleteUserOK() throws Exception {
+    public void generateAccessTokenForUser() throws Exception {
+        MockHttpSession session = loginWithServiceGroupUser2(mvc);
+        UserRO userRO = getLoggedUserData(mvc, session);
+        assertNotNull(userRO);
 
-        // login
-        MockHttpSession session = loginWithSystemAdmin(mvc);
-        // get list
-        MvcResult result = mvc.perform(get(CONTEXT_PATH_INTERNAL_USER)
+        MvcResult result = mvc.perform(post(PATH_PUBLIC + "/" + userRO.getUserId()+"/generate-access-token")
                 .with(csrf())
-                .session(session))
-                .andExpect(status().isOk()).andReturn();
-        ServiceResult res = mapper.readValue(result.getResponse().getContentAsString(), ServiceResult.class);
-        assertNotNull(res);
-        assertFalse(res.getServiceEntities().isEmpty());
-        UserRO userRO = mapper.convertValue(res.getServiceEntities().get(0), UserRO.class);
+                .session(session)
+                .contentType(MediaType.TEXT_PLAIN)
+                .content(SG_USER2_PASSWD)
+        ).andExpect(status().isOk()).andReturn();
 
-        MvcResult resultDelete = mvc.perform(post(CONTEXT_PATH_INTERNAL_USER + "/validate-delete")
+        MvcResult resultUser = mvc.perform(get(CONTEXT_PATH_PUBLIC_SECURITY_USER )
                 .with(csrf())
                 .session(session)
-                .contentType(MediaType.APPLICATION_JSON)
-                .content("[\"" + userRO.getUserId() + "\"]"))
-                .andExpect(status().isOk()).andReturn();
-
-        DeleteEntityValidation dev = mapper.readValue(resultDelete.getResponse().getContentAsString(), DeleteEntityValidation.class);
+        ).andExpect(status().isOk()).andReturn();
 
-        assertFalse(dev.getListIds().isEmpty());
-        assertTrue(dev.getListDeleteNotPermitedIds().isEmpty());
-        assertEquals(userRO.getUserId(), dev.getListIds().get(0));
+        UserRO updateUserData = mapper.readValue(resultUser.getResponse().getContentAsString(), UserRO.class);
+        AccessTokenRO resAccessToken = mapper.readValue(result.getResponse().getContentAsString(), AccessTokenRO.class);
+        assertNotNull(resAccessToken);
+        assertNotEquals(userRO.getAccessTokenId(), resAccessToken.getIdentifier());
+        assertNotEquals(userRO.getAccessTokenExpireOn(), resAccessToken.getExpireOn());
+        assertEquals(updateUserData.getAccessTokenId(), resAccessToken.getIdentifier());
+        assertEquals(updateUserData.getAccessTokenExpireOn(), resAccessToken.getExpireOn());
     }
 
     @Test
-    public void testValidateDeleteLoggedUserNotOK() throws Exception {
+    public void changePassword() throws Exception {
+        String newPassword = "TESTtest1234!@#$";
 
-        // login
-        MockHttpSession session = loginWithSystemAdmin(mvc);
-        // get list
-        MvcResult result = mvc.perform(get(CONTEXT_PATH_INTERNAL_USER)
-                .with(csrf())
-                .session(session))
-                .andExpect(status().isOk()).andReturn();
+        MockHttpSession session = loginWithServiceGroupUser2(mvc);
         UserRO userRO = getLoggedUserData(mvc, session);
+        assertNotNull(userRO);
+        PasswordChangeRO newPass = new PasswordChangeRO();
+        newPass.setUsername(SG_USER2_USERNAME);
+        newPass.setCurrentPassword(SG_USER2_PASSWD);
+        newPass.setNewPassword(newPassword);
+        assertNotEquals(newPassword, SG_USER2_PASSWD);
 
-        // note system credential has id 3!
-        MvcResult resultDelete = mvc.perform(post(CONTEXT_PATH_INTERNAL_USER + "/validate-delete")
+        mvc.perform(put(PATH_PUBLIC + "/" + userRO.getUserId()+"/change-password")
                 .with(csrf())
                 .session(session)
-                .contentType(org.springframework.http.MediaType.APPLICATION_JSON)
-                .content("[\"" + userRO.getUserId() + "\"]"))
-                .andExpect(status().isOk())
-                .andReturn();
-
-        DeleteEntityValidation res = mapper.readValue(resultDelete.getResponse().getContentAsString(), DeleteEntityValidation.class);
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(mapper.writeValueAsString(newPass))
+        ).andExpect(status().isOk()).andReturn();
 
-        assertTrue(res.getListIds().isEmpty());
-        assertEquals("Could not delete logged user!", res.getStringMessage());
+        // test to login with new password
+        MockHttpSession sessionNew = loginWithCredentials(mvc, SG_USER2_USERNAME, newPassword);
+        assertNotNull(sessionNew);
     }
 
 }
\ No newline at end of file

smp-webapp/src/test/java/eu/europa/ec/edelivery/smp/ui/internal/UserAdminResourceIntegrationTest.java

+package eu.europa.ec.edelivery.smp.ui.internal;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import eu.europa.ec.edelivery.smp.data.ui.*;
+import eu.europa.ec.edelivery.smp.test.SmpTestWebAppConfig;
+import eu.europa.ec.edelivery.smp.ui.ResourceConstants;
+import org.apache.commons.lang3.StringUtils;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.jdbc.Sql;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.web.context.WebApplicationContext;
+
+import javax.ws.rs.core.MediaType;
+import java.util.Arrays;
+import java.util.Map;
+import java.util.UUID;
+
+import static eu.europa.ec.edelivery.smp.test.testutils.MockMvcUtils.*;
+import static org.junit.Assert.*;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.test.context.jdbc.Sql.ExecutionPhase.BEFORE_TEST_METHOD;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@RunWith(SpringRunner.class)
+@WebAppConfiguration
+@ContextConfiguration(classes = {SmpTestWebAppConfig.class})
+@Sql(scripts = {
+        "classpath:/cleanup-database.sql",
+        "classpath:/webapp_integration_test_data.sql"},
+        executionPhase = BEFORE_TEST_METHOD)
+public class UserAdminResourceIntegrationTest {
+
+    private static final String PATH_INTERNAL = ResourceConstants.CONTEXT_PATH_INTERNAL_USER;
+
+    @Autowired
+    private WebApplicationContext webAppContext;
+
+    private MockMvc mvc;
+
+    ObjectMapper mapper = new ObjectMapper();
+
+    @Before
+    public void setup() {
+        mapper.registerModule(new JavaTimeModule());
+        mvc = initializeMockMvc(webAppContext);
+    }
+
+    @Test
+    public void getUsers() throws Exception {
+        MockHttpSession session = loginWithSystemAdmin(mvc);
+        MvcResult result = mvc.perform(get(PATH_INTERNAL)
+                .session(session)
+                .with(csrf()))
+                .andExpect(status().isOk()).andReturn();
+        ServiceResult res = mapper.readValue(result.getResponse().getContentAsString(), ServiceResult.class);
+        // then
+        assertNotNull(res);
+        assertEquals(10, res.getServiceEntities().size());
+        res.getServiceEntities().forEach(sgMap -> {
+            UserRO sgro = mapper.convertValue(sgMap, UserRO.class);
+            assertNotNull(sgro.getUserId());
+            assertNotNull(sgro.getUsername());
+            assertNotNull(sgro.getRole());
+        });
+    }
+
+    @Test
+    public void testUpdateUserList() throws Exception {
+        // given when
+        MockHttpSession session = loginWithSystemAdmin(mvc);
+
+        SecurityMockMvcRequestPostProcessors.CsrfRequestPostProcessor csrf = csrf();
+        MvcResult result = mvc.perform(get(PATH_INTERNAL)
+                .session(session)
+                .with(csrf))
+                .andExpect(status().isOk()).andReturn();
+        ServiceResult res = mapper.readValue(result.getResponse().getContentAsString(), ServiceResult.class);
+        assertNotNull(res);
+        assertFalse(res.getServiceEntities().isEmpty());
+        UserRO userRO = mapper.convertValue(res.getServiceEntities().get(0), UserRO.class);
+        // then
+        userRO.setActive(!userRO.isActive());
+        userRO.setEmailAddress("test@mail.com");
+        userRO.setPassword(UUID.randomUUID().toString());
+        if (userRO.getCertificate() == null) {
+            userRO.setCertificate(new CertificateRO());
+        }
+        userRO.getCertificate().setCertificateId(UUID.randomUUID().toString());
+
+        mvc.perform(put(PATH_INTERNAL)
+                .session(session)
+                .with(csrf)
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(mapper.writeValueAsString(Arrays.asList(userRO)))
+        ).andExpect(status().isOk());
+    }
+
+    @Test
+    public void testUpdateUserListWrongAuthentication() throws Exception {
+        // given when
+        MockHttpSession session = loginWithSystemAdmin(mvc);
+        MvcResult result = mvc.perform(get(PATH_INTERNAL)
+                .session(session)
+                .with(csrf()))
+                .andExpect(status().isOk()).andReturn();
+        ServiceResult res = mapper.readValue(result.getResponse().getContentAsString(), ServiceResult.class);
+        assertNotNull(res);
+        assertFalse(res.getServiceEntities().isEmpty());
+        UserRO userRO = mapper.convertValue(res.getServiceEntities().get(0), UserRO.class);
+        // then
+        userRO.setActive(!userRO.isActive());
+        userRO.setEmailAddress("test@mail.com");
+        userRO.setPassword(UUID.randomUUID().toString());
+        if (userRO.getCertificate() == null) {
+            userRO.setCertificate(new CertificateRO());
+        }
+        userRO.getCertificate().setCertificateId(UUID.randomUUID().toString());
+        // anonymous
+        mvc.perform(put(PATH_INTERNAL)
+                .with(csrf())
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(mapper.writeValueAsString(Arrays.asList(userRO)))
+        ).andExpect(status().isUnauthorized());
+
+        MockHttpSession sessionSMPAdmin = loginWithSMPAdmin(mvc);
+        mvc.perform(put(PATH_INTERNAL)
+                .session(sessionSMPAdmin)
+                .with(csrf())
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(mapper.writeValueAsString(Arrays.asList(userRO)))
+        ).andExpect(status().isUnauthorized());
+
+        MockHttpSession sessionSGAdmin = loginWithServiceGroupUser(mvc);
+        mvc.perform(put(PATH_INTERNAL)
+                .session(sessionSGAdmin)
+                .with(csrf())
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(mapper.writeValueAsString(Arrays.asList(userRO)))
+        ).andExpect(status().isUnauthorized());
+    }
+
+    @Test
+    public void testValidateDeleteUserOK() throws Exception {
+
+        // login
+        MockHttpSession session = loginWithSystemAdmin(mvc);
+        // get list
+        MvcResult result = mvc.perform(get(PATH_INTERNAL)
+                .with(csrf())
+                .session(session))
+                .andExpect(status().isOk()).andReturn();
+        ServiceResult res = mapper.readValue(result.getResponse().getContentAsString(), ServiceResult.class);
+        assertNotNull(res);
+        assertFalse(res.getServiceEntities().isEmpty());
+        UserRO userRO = mapper.convertValue(res.getServiceEntities().get(0), UserRO.class);
+
+        MvcResult resultDelete = mvc.perform(post(PATH_INTERNAL + "/validate-delete")
+                .with(csrf())
+                .session(session)
+                .contentType(MediaType.APPLICATION_JSON)
+                .content("[\"" + userRO.getUserId() + "\"]"))
+                .andExpect(status().isOk()).andReturn();
+
+        DeleteEntityValidation dev = mapper.readValue(resultDelete.getResponse().getContentAsString(), DeleteEntityValidation.class);
+
+        assertFalse(dev.getListIds().isEmpty());
+        assertTrue(dev.getListDeleteNotPermitedIds().isEmpty());
+        assertEquals(userRO.getUserId(), dev.getListIds().get(0));
+    }
+
+    @Test
+    public void testValidateDeleteLoggedUserNotOK() throws Exception {
+
+        // login
+        MockHttpSession session = loginWithSystemAdmin(mvc);
+        // get list
+        MvcResult result = mvc.perform(get(PATH_INTERNAL)
+                .with(csrf())
+                .session(session))
+                .andExpect(status().isOk()).andReturn();
+        UserRO userRO = getLoggedUserData(mvc, session);
+
+        // note system credential has id 3!
+        MvcResult resultDelete = mvc.perform(post(PATH_INTERNAL + "/validate-delete")
+                .with(csrf())
+                .session(session)
+                .contentType(org.springframework.http.MediaType.APPLICATION_JSON)
+                .content("[\"" + userRO.getUserId() + "\"]"))
+                .andExpect(status().isOk())
+                .andReturn();
+
+        DeleteEntityValidation res = mapper.readValue(resultDelete.getResponse().getContentAsString(), DeleteEntityValidation.class);
+
+        assertTrue(res.getListIds().isEmpty());
+        assertEquals("Could not delete logged user!", res.getStringMessage());
+    }
+
+
+    @Test
+    public void generateAccessTokenForUser() throws Exception {
+        MockHttpSession sessionAdmin = loginWithSystemAdmin(mvc);
+        UserRO userROAdmin = getLoggedUserData(mvc, sessionAdmin);
+
+        MvcResult resultUsers = mvc.perform(get(PATH_INTERNAL)
+                .session(sessionAdmin)
+                .with(csrf()))
+                .andExpect(status().isOk()).andReturn();
+        ServiceResult res = mapper.readValue(resultUsers.getResponse().getContentAsString(), ServiceResult.class);
+        Map userROToUpdate = (Map) res.getServiceEntities().stream()
+                .filter(userMap ->
+                        StringUtils.equals(SG_USER2_USERNAME, (String) ((Map) userMap).get("username"))).findFirst().get();
+
+        MvcResult result = mvc.perform(post(PATH_INTERNAL + "/" + userROAdmin.getUserId() + "/generate-access-token-for/" + userROToUpdate.get("userId"))
+                .with(csrf())
+                .session(sessionAdmin)
+                .content(SYS_ADMIN_PASSWD)
+        ).andExpect(status().isOk()).andReturn();
+
+
+        AccessTokenRO resAccessToken = mapper.readValue(result.getResponse().getContentAsString(), AccessTokenRO.class);
+        assertNotNull(resAccessToken);
+        assertNotNull(resAccessToken.getIdentifier());
+        assertNotNull(resAccessToken.getValue());
+
+    }
+
+    @Test
+    public void changePasswordForUser() throws Exception {
+        MockHttpSession sessionAdmin = loginWithSystemAdmin(mvc);
+        UserRO userROAdmin = getLoggedUserData(mvc, sessionAdmin);
+
+        MvcResult resultUsers = mvc.perform(get(PATH_INTERNAL)
+                .session(sessionAdmin)
+                .with(csrf()))
+                .andExpect(status().isOk()).andReturn();
+        ServiceResult res = mapper.readValue(resultUsers.getResponse().getContentAsString(), ServiceResult.class);
+        Map userROToUpdate = (Map) res.getServiceEntities().stream()
+                .filter(userMap ->
+                        StringUtils.equals(SG_USER2_USERNAME, (String) ((Map) userMap).get("username"))).findFirst().get();
+        String newPassword = "TESTtest1234!@#$";
+
+
+        PasswordChangeRO newPass = new PasswordChangeRO();
+        newPass.setUsername(SG_USER2_USERNAME);
+        newPass.setCurrentPassword(SYS_ADMIN_PASSWD);
+        newPass.setNewPassword(newPassword);
+        assertNotEquals(newPassword, SG_USER2_PASSWD);
+
+        mvc.perform(put(PATH_INTERNAL + "/" + userROAdmin.getUserId() + "//change-password-for/" + userROToUpdate.get("userId"))
+                .with(csrf())
+                .session(sessionAdmin)
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(mapper.writeValueAsString(newPass))
+        ).andExpect(status().isOk()).andReturn();
+
+        // test to login with new password
+        MockHttpSession sessionNew = loginWithCredentials(mvc, SG_USER2_USERNAME, newPassword);
+        assertNotNull(sessionNew);
+    }
+
+}
\ No newline at end of file