fix capabilities

Author: damoeb

packages/server-core/src/main/kotlin/org/migor/feedless/repository/RepositoryResolver.kt

@@ -104,7 +104,7 @@ class RepositoryResolver(
 
   @Throttled
   @DgsMutation(field = DgsConstants.MUTATION.CreateRepositories)
-  @PreAuthorize("hasToken()")
+  @PreAuthorize("@capabilityService.hasToken()")
   suspend fun createRepositories(
     dfe: DataFetchingEnvironment,
     @InputArgument(DgsConstants.MUTATION.CREATEREPOSITORIES_INPUT_ARGUMENT.Data) data: List<RepositoryCreateInput>,

packages/server-core/src/main/kotlin/org/migor/feedless/scrape/ScrapeQueryResolver.kt

@@ -45,7 +45,7 @@ class ScrapeQueryResolver {
 
   @Throttled
   @DgsQuery(field = DgsConstants.QUERY.Scrape)
-  @PreAuthorize("hasToken()")
+  @PreAuthorize("@capabilityService.hasToken()")
   suspend fun scrape(
     dfe: DataFetchingEnvironment,
     @InputArgument(DgsConstants.QUERY.SCRAPE_INPUT_ARGUMENT.Data) data: SourceInput,

packages/server-core/src/main/kotlin/org/migor/feedless/session/JwtRequestFilter.kt

@@ -43,7 +43,7 @@ class JwtRequestFilter : Filter {
         runCatching {
           SecurityContextHolder.getContext().authentication =
             toOAuth2AuthenticationToken(authService.interceptToken(request))
-        }.onFailure { log.error(it.message, it) }
+        }.onFailure { log.debug(it.message) }
       }
       val attributes = ServletRequestAttributes(request)
       val corrId = StringUtils.trimToNull(request.getHeader(ApiParams.corrId)) ?: newCorrId()

packages/server-core/src/main/kotlin/org/migor/feedless/session/StatefulAuthService.kt

@@ -133,16 +133,14 @@ class StatefulAuthService : AuthService() {
   private fun resolveWhitelistedHosts() {
     this.whitelistedIps = whitelistedHostsParam
       .trim()
-      .split(" ", ",")
-      .map {
+      .split(" ", ",").mapNotNull {
         try {
           InetAddress.getByName(it.trim()).hostAddress
         } catch (e: Exception) {
           log.warn("Cannot resolve DNS $it: ${e.message}")
           null
         }
       }
-      .filterNotNull()
       .plus(
         listOf(
           InetAddress.getLocalHost().hostAddress,

packages/server-core/src/test/kotlin/org/migor/feedless/config/CustomSecurityExpressionRootTest.kt

@@ -5,11 +5,12 @@ import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.api.Test
 import org.migor.feedless.capability.SecurityContextCapabilityService
 import org.migor.feedless.session.LazyGrantedAuthority
+import org.mockito.Mockito
 import org.mockito.Mockito.mock
 import org.mockito.Mockito.`when`
 import org.springframework.security.core.Authentication
-import org.springframework.security.core.GrantedAuthority
-import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.core.context.SecurityContext
+import org.springframework.security.core.context.SecurityContextHolder
 
 class CustomSecurityExpressionRootTest {
 
@@ -23,11 +24,13 @@ class CustomSecurityExpressionRootTest {
     )
     `when`(authentication.authorities).thenReturn(authorities)
 
-    val expressionRoot = SecurityContextCapabilityService(authentication)
+    mockAuthentication(authentication) {
+      val expressionRoot = SecurityContextCapabilityService()
 
-    // when & then
-    assertThat(expressionRoot.hasCapability("user")).isTrue()
-    assertThat(expressionRoot.hasCapability("groups")).isTrue()
+      // when & then
+      assertThat(expressionRoot.hasCapability("user")).isTrue()
+      assertThat(expressionRoot.hasCapability("groups")).isTrue()
+    }
   }
 
   @Test
@@ -39,12 +42,14 @@ class CustomSecurityExpressionRootTest {
     )
     `when`(authentication.authorities).thenReturn(authorities)
 
-    val expressionRoot = SecurityContextCapabilityService(authentication)
+    mockAuthentication(authentication) {
+      val expressionRoot = SecurityContextCapabilityService()
 
-    // when & then
-    assertThat(expressionRoot.hasCapability("agent")).isFalse()
-    assertThat(expressionRoot.hasCapability("admin")).isFalse()
-    assertThat(expressionRoot.hasCapability("nonexistent")).isFalse()
+      // when & then
+      assertThat(expressionRoot.hasCapability("agent")).isFalse()
+      assertThat(expressionRoot.hasCapability("admin")).isFalse()
+      assertThat(expressionRoot.hasCapability("nonexistent")).isFalse()
+    }
   }
 
   @Test
@@ -53,47 +58,13 @@ class CustomSecurityExpressionRootTest {
     val authentication = mock(Authentication::class.java)
     `when`(authentication.authorities).thenReturn(emptyList())
 
-    val expressionRoot = SecurityContextCapabilityService(authentication)
+    mockAuthentication(authentication) {
+      val expressionRoot = SecurityContextCapabilityService()
 
-    // when & then
-    assertThat(expressionRoot.hasCapability("user")).isFalse()
-    assertThat(expressionRoot.hasCapability("agent")).isFalse()
-  }
-
-  @Test
-  fun `hasCapability is case sensitive`() = runTest {
-    // given
-    val authentication = mock(Authentication::class.java)
-    val authorities = listOf(
-      LazyGrantedAuthority("user", """{"id":"test-user-id"}""")
-    )
-    `when`(authentication.authorities).thenReturn(authorities)
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasCapability("user")).isTrue()
-    assertThat(expressionRoot.hasCapability("USER")).isFalse()
-    assertThat(expressionRoot.hasCapability("User")).isFalse()
-  }
-
-  @Test
-  fun `hasCapability ignores non-LazyGrantedAuthority authorities`() = runTest {
-    // given
-    val authentication = mock(Authentication::class.java)
-    val authorities: List<GrantedAuthority> = listOf(
-      SimpleGrantedAuthority("ROLE_USER"),
-      LazyGrantedAuthority("user", """{"id":"test-user-id"}"""),
-      SimpleGrantedAuthority("ROLE_ADMIN")
-    )
-    `when`(authentication.authorities).thenReturn(authorities)
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasCapability("user")).isTrue()
-    assertThat(expressionRoot.hasCapability("ROLE_USER")).isFalse()
-    assertThat(expressionRoot.hasCapability("ROLE_ADMIN")).isFalse()
+      // when & then
+      assertThat(expressionRoot.hasCapability("user")).isFalse()
+      assertThat(expressionRoot.hasCapability("agent")).isFalse()
+    }
   }
 
   @Test
@@ -106,14 +77,15 @@ class CustomSecurityExpressionRootTest {
       LazyGrantedAuthority("groups", """[]""")
     )
     `when`(authentication.authorities).thenReturn(authorities)
+    mockAuthentication(authentication) {
+      val expressionRoot = SecurityContextCapabilityService()
 
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasCapability("user")).isTrue()
-    assertThat(expressionRoot.hasCapability("agent")).isTrue()
-    assertThat(expressionRoot.hasCapability("groups")).isTrue()
-    assertThat(expressionRoot.hasCapability("admin")).isFalse()
+      // when & then
+      assertThat(expressionRoot.hasCapability("user")).isTrue()
+      assertThat(expressionRoot.hasCapability("agent")).isTrue()
+      assertThat(expressionRoot.hasCapability("groups")).isTrue()
+      assertThat(expressionRoot.hasCapability("admin")).isFalse()
+    }
   }
 
   @Test
@@ -122,154 +94,37 @@ class CustomSecurityExpressionRootTest {
     val authentication = mock(Authentication::class.java)
     `when`(authentication.isAuthenticated).thenReturn(true)
 
-    val expressionRoot = SecurityContextCapabilityService(authentication)
+    mockAuthentication(authentication) {
+      val expressionRoot = SecurityContextCapabilityService()
 
-    // when & then
-    assertThat(expressionRoot.hasToken()).isTrue()
+      // when & then
+      assertThat(expressionRoot.hasToken()).isTrue()
+    }
   }
 
   @Test
   fun `hasToken returns false when authentication is not authenticated`() = runTest {
     // given
     val authentication = mock(Authentication::class.java)
     `when`(authentication.isAuthenticated).thenReturn(false)
+    mockAuthentication(authentication) {
+      val expressionRoot = SecurityContextCapabilityService()
 
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasToken()).isFalse()
-  }
-
-  @Test
-  fun `hasToken returns true for authenticated user with capabilities`() = runTest {
-    // given
-    val authentication = mock(Authentication::class.java)
-    `when`(authentication.isAuthenticated).thenReturn(true)
-    val authorities = listOf(
-      LazyGrantedAuthority("user", """{"id":"test-user-id"}""")
-    )
-    `when`(authentication.authorities).thenReturn(authorities)
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasToken()).isTrue()
-    assertThat(expressionRoot.hasCapability("user")).isTrue()
-  }
-
-  @Test
-  fun `hasToken returns true even without capabilities`() = runTest {
-    // given
-    val authentication = mock(Authentication::class.java)
-    `when`(authentication.isAuthenticated).thenReturn(true)
-    `when`(authentication.authorities).thenReturn(emptyList())
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasToken()).isTrue()
-    assertThat(expressionRoot.hasCapability("user")).isFalse()
+      // when & then
+      assertThat(expressionRoot.hasToken()).isFalse()
+    }
   }
 
-  @Test
-  fun `combined test - hasToken true but specific capability false`() = runTest {
-    // given
-    val authentication = mock(Authentication::class.java)
-    `when`(authentication.isAuthenticated).thenReturn(true)
-    val authorities = listOf(
-      LazyGrantedAuthority("user", """{"id":"test-user-id"}""")
-    )
-    `when`(authentication.authorities).thenReturn(authorities)
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasToken()).isTrue()
-    assertThat(expressionRoot.hasCapability("user")).isTrue()
-    assertThat(expressionRoot.hasCapability("agent")).isFalse()
-  }
-
-  @Test
-  fun `hasCapability with empty string returns false`() = runTest {
-    // given
-    val authentication = mock(Authentication::class.java)
-    val authorities = listOf(
-      LazyGrantedAuthority("user", """{"id":"test-user-id"}""")
-    )
-    `when`(authentication.authorities).thenReturn(authorities)
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasCapability("")).isFalse()
-  }
-
-  @Test
-  fun `hasCapability with special characters in capability ID`() = runTest {
-    // given
-    val authentication = mock(Authentication::class.java)
-    val authorities = listOf(
-      LazyGrantedAuthority("special-capability-123", """{"id":"test"}""")
-    )
-    `when`(authentication.authorities).thenReturn(authorities)
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then
-    assertThat(expressionRoot.hasCapability("special-capability-123")).isTrue()
-    assertThat(expressionRoot.hasCapability("special-capability-456")).isFalse()
-  }
-
-  @Test
-  fun `real world scenario - user capability check`() = runTest {
-    // given - simulating a JWT token with user capability
-    val authentication = mock(Authentication::class.java)
-    `when`(authentication.isAuthenticated).thenReturn(true)
-    val authorities = listOf(
-      LazyGrantedAuthority("user", """{"id":"550e8400-e29b-41d4-a716-446655440000"}"""),
-      LazyGrantedAuthority("groups", """[]""")
-    )
-    `when`(authentication.authorities).thenReturn(authorities)
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then - user can access user-protected endpoints
-    assertThat(expressionRoot.hasToken()).isTrue()
-    assertThat(expressionRoot.hasCapability("user")).isTrue()
-    assertThat(expressionRoot.hasCapability("agent")).isFalse()
-  }
-
-  @Test
-  fun `real world scenario - agent capability check`() = runTest {
-    // given - simulating an agent/service token
-    val authentication = mock(Authentication::class.java)
-    `when`(authentication.isAuthenticated).thenReturn(true)
-    val authorities = listOf(
-      LazyGrantedAuthority("agent", """{"dummy":"service-123"}""")
-    )
-    `when`(authentication.authorities).thenReturn(authorities)
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
-
-    // when & then - agent can only access agent-protected endpoints
-    assertThat(expressionRoot.hasToken()).isTrue()
-    assertThat(expressionRoot.hasCapability("agent")).isTrue()
-    assertThat(expressionRoot.hasCapability("user")).isFalse()
-  }
-
-  @Test
-  fun `real world scenario - anonymous token-only access`() = runTest {
-    // given - simulating a token without specific capabilities (anonymous)
-    val authentication = mock(Authentication::class.java)
-    `when`(authentication.isAuthenticated).thenReturn(true)
-    `when`(authentication.authorities).thenReturn(emptyList())
-
-    val expressionRoot = SecurityContextCapabilityService(authentication)
+  private fun mockAuthentication(authentication: Authentication, block: () -> Any) {
+    Mockito.mockStatic(SecurityContextHolder::class.java).use { staticMock ->
+      {
+        val securityContext = mock(SecurityContext::class.java)
+        `when`(securityContext.authentication).thenReturn(authentication)
+        `when`(SecurityContextHolder.getContext()).thenReturn(securityContext)
 
-    // when & then - has token but no specific capabilities
-    assertThat(expressionRoot.hasToken()).isTrue()
-    assertThat(expressionRoot.hasCapability("user")).isFalse()
-    assertThat(expressionRoot.hasCapability("agent")).isFalse()
+        block.invoke()
+      }
+    }
   }
 }