PageResourceServletTest.java

package org.bonitasoft.console.common.server.page;

import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.when;

import java.io.File;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;

/**
 * @author Julien Mege
 */

@RunWith(MockitoJUnitRunner.class)
public class PageResourceServletTest {

    @Mock
    private HttpServletRequest req;

    @Mock
    private HttpServletResponse res;

    @Mock
    HttpSession httpSession;

    @Test
    public void should_verify_authorisation_for_the_given_location_param() throws Exception {

        final PageResourceServlet pageResourceServlet = spy(new PageResourceServlet());
        when(req.getParameter(pageResourceServlet.getResourceParameterName())).thenReturn("name");
        when(req.getMethod()).thenReturn("GET");

        when(req.getSession()).thenReturn(httpSession);
        when(req.getParameter("tenant")).thenReturn("1");
        when(pageResourceServlet.getResourcesParentFolder(1L)).thenReturn(new File("."));

        when(req.getParameter("location")).thenReturn("../../../file.txt");
        try {
            pageResourceServlet.service(req, res);
        } catch (final ServletException e) {
            assertTrue(e.getMessage().startsWith("For security reasons, access to this file paths"));
        }
    }

}