improve coverage

Author: ffalqui

engine/src/test/java/org/entando/entando/aps/servlet/StartupListenerTest.java

@@ -0,0 +1,316 @@
+/*
+ * Copyright 2015-Present Entando Inc. (http://www.entando.com) All rights reserved.
+ *
+ * This library is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ */
+package org.entando.entando.aps.servlet;
+
+import com.agiletec.aps.system.SystemConstants;
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.ServletContextEvent;
+import jakarta.servlet.SessionCookieConfig;
+import org.entando.entando.aps.system.exception.CSRFProtectionException;
+import org.entando.entando.aps.system.services.tenants.ITenantInitializerService;
+import org.entando.entando.aps.system.services.tenants.ITenantInitializerService.InitializationTenantFilter;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.web.context.WebApplicationContext;
+
+import java.util.concurrent.CompletableFuture;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class StartupListenerTest {
+
+    private StartupListener startupListener;
+
+    @Mock
+    private ServletContextEvent servletContextEvent;
+
+    @Mock
+    private ServletContext servletContext;
+
+    @Mock
+    private WebApplicationContext webApplicationContext;
+
+    @Mock
+    private ITenantInitializerService tenantInitializerService;
+
+    @Mock
+    private SessionCookieConfig sessionCookieConfig;
+
+    private String originalCsrfProtection;
+    private String originalCsrfDomains;
+    private String originalCspEnabled;
+    private String originalCspExtraConfig;
+    private String originalSecureCookies;
+
+    @BeforeEach
+    void setUp() {
+        startupListener = new StartupListener();
+
+        // Store original environment values
+        originalCsrfProtection = System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION);
+        originalCsrfDomains = System.getenv(SystemConstants.ENTANDO_CSRF_ALLOWED_DOMAINS);
+        originalCspEnabled = System.getenv(SystemConstants.CSP_HEADER_ENABLED);
+        originalCspExtraConfig = System.getenv(SystemConstants.CSP_HEADER_EXTRACONFIG);
+        originalSecureCookies = System.getenv("ENTANDO_SECURE_SECRET_COOKIES");
+
+        when(servletContextEvent.getServletContext()).thenReturn(servletContext);
+        when(servletContext.getServletContextName()).thenReturn("TestContext");
+        when(servletContext.getAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE))
+                .thenReturn(webApplicationContext);
+        when(webApplicationContext.getBean(ITenantInitializerService.class)).thenReturn(tenantInitializerService);
+        when(tenantInitializerService.startTenantsInitialization(any(), eq(InitializationTenantFilter.REQUIRED_INIT_AT_START)))
+                .thenReturn(CompletableFuture.completedFuture(null));
+        when(tenantInitializerService.startTenantsInitialization(any(), eq(InitializationTenantFilter.NOT_REQUIRED_INIT_AT_START)))
+                .thenReturn(CompletableFuture.completedFuture(null));
+        when(servletContext.getSessionCookieConfig()).thenReturn(sessionCookieConfig);
+    }
+
+    @AfterEach
+    void tearDown() {
+        // Note: We cannot restore environment variables in Java,
+        // so tests that modify them should be aware of this limitation
+    }
+
+    @Test
+    void testContextInitialized_WithCsrfProtectionEnabled() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION))
+                    .thenReturn(SystemConstants.CSRF_BASIC_PROTECTION);
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_ALLOWED_DOMAINS))
+                    .thenReturn("example.com,test.com");
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_ENABLED))
+                    .thenReturn("true");
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act
+            assertDoesNotThrow(() -> startupListener.contextInitialized(servletContextEvent));
+
+            // Assert
+            verify(tenantInitializerService).startTenantsInitialization(
+                    eq(servletContext), eq(InitializationTenantFilter.REQUIRED_INIT_AT_START));
+            verify(tenantInitializerService).startTenantsInitialization(
+                    eq(servletContext), eq(InitializationTenantFilter.NOT_REQUIRED_INIT_AT_START));
+        }
+    }
+
+    @Test
+    void testContextInitialized_WithCsrfProtectionDisabled() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION))
+                    .thenReturn(null);
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_ENABLED))
+                    .thenReturn("true");
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act
+            assertDoesNotThrow(() -> startupListener.contextInitialized(servletContextEvent));
+
+            // Assert - should log warning but not throw exception
+            verify(servletContext, atLeastOnce()).getServletContextName();
+        }
+    }
+
+    @Test
+    void testContextInitialized_WithCsrfProtectionEnabledButNoDomains() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION))
+                    .thenReturn(SystemConstants.CSRF_BASIC_PROTECTION);
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_ALLOWED_DOMAINS))
+                    .thenReturn(null);
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_ENABLED))
+                    .thenReturn("true");
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act & Assert
+            assertThrows(CSRFProtectionException.class,
+                    () -> startupListener.contextInitialized(servletContextEvent));
+        }
+    }
+
+    @Test
+    void testContextInitialized_WithCsrfProtectionEnabledButEmptyDomains() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION))
+                    .thenReturn(SystemConstants.CSRF_BASIC_PROTECTION);
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_ALLOWED_DOMAINS))
+                    .thenReturn("");
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_ENABLED))
+                    .thenReturn("true");
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act & Assert
+            assertThrows(CSRFProtectionException.class,
+                    () -> startupListener.contextInitialized(servletContextEvent));
+        }
+    }
+
+    @Test
+    void testContextInitialized_WithCspDisabled() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION))
+                    .thenReturn(null);
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_ENABLED))
+                    .thenReturn("false");
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act
+            assertDoesNotThrow(() -> startupListener.contextInitialized(servletContextEvent));
+
+            // Assert - should log warning about CSP being disabled
+            verify(servletContext, atLeastOnce()).getServletContextName();
+        }
+    }
+
+    @Test
+    void testContextInitialized_WithCspEnabledAndExtraConfig() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION))
+                    .thenReturn(null);
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_ENABLED))
+                    .thenReturn("true");
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_EXTRACONFIG))
+                    .thenReturn("script-src 'self'");
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act
+            assertDoesNotThrow(() -> startupListener.contextInitialized(servletContextEvent));
+
+            // Assert
+            verify(servletContext, atLeastOnce()).getServletContextName();
+        }
+    }
+
+    @Test
+    void testContextInitialized_WithCspEmptyString() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION))
+                    .thenReturn(null);
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_ENABLED))
+                    .thenReturn("");
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act - empty string should default to enabled
+            assertDoesNotThrow(() -> startupListener.contextInitialized(servletContextEvent));
+
+            // Assert
+            verify(servletContext, atLeastOnce()).getServletContextName();
+        }
+    }
+
+    @Test
+    void testSetSessionCookieConfig_WithSecureCookiesEnabled() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn("true");
+
+            // Act
+            startupListener.setSessionCookieConfig(servletContext);
+
+            // Assert
+            verify(sessionCookieConfig).setSecure(true);
+        }
+    }
+
+    @Test
+    void testSetSessionCookieConfig_WithSecureCookiesDisabled() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn("false");
+
+            // Act
+            startupListener.setSessionCookieConfig(servletContext);
+
+            // Assert - secure should not be set when false
+            verify(sessionCookieConfig, never()).setSecure(anyBoolean());
+        }
+    }
+
+    @Test
+    void testSetSessionCookieConfig_WithoutEnvironmentVariableButForceHttps() {
+        // Arrange - We need to mock UrlUtils.determineForceHttps() to return true
+        // This is more complex as it requires mocking a static method in UrlUtils
+        // For now, we'll test the scenario where it returns false
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act
+            startupListener.setSessionCookieConfig(servletContext);
+
+            // Assert - behavior depends on UrlUtils.determineForceHttps()
+            // In most test environments, this will be false, so setSecure won't be called
+            // We're testing that the method completes without error
+            verify(servletContext).getSessionCookieConfig();
+        }
+    }
+
+    @Test
+    void testSetSessionCookieConfig_WithEmptyString() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn("");
+
+            // Act
+            startupListener.setSessionCookieConfig(servletContext);
+
+            // Assert - empty string means it falls back to UrlUtils.determineForceHttps()
+            verify(servletContext).getSessionCookieConfig();
+        }
+    }
+
+    @Test
+    void testContextInitialized_WithNonBasicCsrfProtection() {
+        // Arrange
+        try (MockedStatic<System> systemMock = mockStatic(System.class, CALLS_REAL_METHODS)) {
+            systemMock.when(() -> System.getenv(SystemConstants.ENTANDO_CSRF_PROTECTION))
+                    .thenReturn("ADVANCED"); // Some other protection type
+            systemMock.when(() -> System.getenv(SystemConstants.CSP_HEADER_ENABLED))
+                    .thenReturn("true");
+            systemMock.when(() -> System.getenv("ENTANDO_SECURE_SECRET_COOKIES"))
+                    .thenReturn(null);
+
+            // Act
+            assertDoesNotThrow(() -> startupListener.contextInitialized(servletContextEvent));
+
+            // Assert - should log warning but not throw exception
+            verify(servletContext, atLeastOnce()).getServletContextName();
+        }
+    }
+}