broccolinisoup/gist:17c228689dd87f67c76dd93ca55855d1

## gistfile1.txt
package org.zanata.rest;

import java.io.IOException;
import javax.enterprise.inject.Produces;
import javax.faces.bean.ApplicationScoped;
import javax.inject.Inject;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.hibernate.Session;
import org.jglue.cdiunit.deltaspike.SupportDeltaspikeCore;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Answers;
import org.mockito.ArgumentCaptor;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.zanata.ZanataTest;
import org.zanata.limits.RateLimitManager;
import org.zanata.limits.RateLimitingProcessor;
import org.zanata.model.HAccount;
import org.zanata.security.annotations.Authenticated;
import org.zanata.test.CdiUnitRunner;
import org.zanata.util.HttpUtil;
import org.zanata.util.IServiceLocator;
import org.zanata.util.RunnableEx;
import org.zanata.util.ServiceLocator;

import static org.mockito.Mockito.*;
import static org.mockito.Mockito.doReturn;

/**
 * @author Patrick Huang <a
 *         href="mailto:pahuang@redhat.com">pahuang@redhat.com</a>
 */
@RunWith(CdiUnitRunner.class)
@SupportDeltaspikeCore
public class RestLimitingFilterTest extends ZanataTest {
    //private RestLimitingFilter dispatcher;

    private static final String API_KEY = "apiKey123";

    @Inject
    RestLimitingFilter dispatcher;

    @Produces @Mock(answer = Answers.RETURNS_DEEP_STUBS)
    private HttpServletRequest request;
    @Produces @Mock(answer = Answers.RETURNS_DEEP_STUBS)
    private HttpServletResponse response;
    @Produces @Mock
    private RateLimitingProcessor processor;
    @Captor
    private ArgumentCaptor<RunnableEx> taskCaptor;
    @Produces @Mock
    private FilterChain filterChain;
    private HAccount authenticatedUser;

    @Produces @Mock @javax.enterprise.context.ApplicationScoped
    private RateLimitManager rateLimitManager;

    @Produces @Mock
    private Session session;

    @Produces
    private IServiceLocator serviceLocator = ServiceLocator.instance();

    private String clientIP = "255.255.0.1";

    @Before
    public void beforeMethod() throws ServletException, IOException {
        when(request.getMethod()).thenReturn("GET");
        when(request.getHeader(HttpUtil.X_AUTH_TOKEN_HEADER)).thenReturn(
                API_KEY);

        //dispatcher = spy(new RestLimitingFilter(processor));

        // this way we can verify the task actually called super.invoke()
        doNothing().when(filterChain).doFilter(request, response);
        authenticatedUser = null;
    }

    @Produces
    private @Authenticated HAccount getAuthenticatedUser() {
        return authenticatedUser;
    }

    @Test
    public void willUseAuthenticatedUserApiKeyIfPresent() throws Exception {
        authenticatedUser = new HAccount();
        authenticatedUser.setApiKey("apiKeyInAuth");
        dispatcher.doFilter(request, response, filterChain);

        verify(processor).processForApiKey(same("apiKeyInAuth"), same(response),
            taskCaptor.capture());

        // verify task is calling filter chain
        RunnableEx task = taskCaptor.getValue();
        task.run();
        verify(filterChain).doFilter(request, response);
    }

    @Test
    public void willUseUsernameIfNoApiKeyButAuthenticated() throws Exception {
        authenticatedUser = new HAccount();
        authenticatedUser.setUsername("admin");

        dispatcher.doFilter(request, response, filterChain);

        verify(processor).processForUser(same("admin"), same(response),
            taskCaptor.capture());

        // verify task is calling filter chain
        RunnableEx task = taskCaptor.getValue();
        task.run();
        verify(filterChain).doFilter(request, response);
    }

    @Test
    public void willThrowErrorWithPOSTAndNoApiKey() throws Exception {
        when(request.getMethod()).thenReturn("POST");
        when(request.getHeader(HttpUtil.X_AUTH_TOKEN_HEADER)).thenReturn(
            null);
        when(request.getRequestURI()).thenReturn("/rest/in/peace");
        authenticatedUser = null;

        dispatcher.doFilter(request, response, filterChain);

        verify(response).setStatus(401);
        verify(response).getOutputStream();
        verifyZeroInteractions(processor);
    }

    @Test
    public void willProcessAnonymousWithGETAndNoApiKey() throws Exception {
        when(request.getHeader(HttpUtil.X_AUTH_TOKEN_HEADER)).thenReturn(null);
        when(request.getRequestURI()).thenReturn("/rest/in/peace");
        when(request.getRemoteAddr()).thenReturn(clientIP);
        authenticatedUser = null;

        dispatcher.doFilter(request, response, filterChain);

        verify(processor).processForAnonymousIP(same(clientIP), same(response),
            taskCaptor.capture());

        // verify task is calling filter chain
        RunnableEx task = taskCaptor.getValue();
        task.run();
        verify(filterChain).doFilter(request, response);
    }
}
	package org.zanata.rest;

	import java.io.IOException;
	import javax.enterprise.inject.Produces;
	import javax.faces.bean.ApplicationScoped;
	import javax.inject.Inject;
	import javax.servlet.FilterChain;
	import javax.servlet.ServletException;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;

	import org.hibernate.Session;
	import org.jglue.cdiunit.deltaspike.SupportDeltaspikeCore;
	import org.junit.Before;
	import org.junit.Test;
	import org.junit.runner.RunWith;
	import org.mockito.Answers;
	import org.mockito.ArgumentCaptor;
	import org.mockito.Captor;
	import org.mockito.Mock;
	import org.mockito.MockitoAnnotations;
	import org.zanata.ZanataTest;
	import org.zanata.limits.RateLimitManager;
	import org.zanata.limits.RateLimitingProcessor;
	import org.zanata.model.HAccount;
	import org.zanata.security.annotations.Authenticated;
	import org.zanata.test.CdiUnitRunner;
	import org.zanata.util.HttpUtil;
	import org.zanata.util.IServiceLocator;
	import org.zanata.util.RunnableEx;
	import org.zanata.util.ServiceLocator;

	import static org.mockito.Mockito.*;
	import static org.mockito.Mockito.doReturn;

	/**
	* @author Patrick Huang <a
	* href="mailto:pahuang@redhat.com">pahuang@redhat.com</a>
	*/
	@RunWith(CdiUnitRunner.class)
	@SupportDeltaspikeCore
	public class RestLimitingFilterTest extends ZanataTest {
	//private RestLimitingFilter dispatcher;

	private static final String API_KEY = "apiKey123";

	@Inject
	RestLimitingFilter dispatcher;

	@Produces @Mock(answer = Answers.RETURNS_DEEP_STUBS)
	private HttpServletRequest request;
	@Produces @Mock(answer = Answers.RETURNS_DEEP_STUBS)
	private HttpServletResponse response;
	@Produces @Mock
	private RateLimitingProcessor processor;
	@Captor
	private ArgumentCaptor<RunnableEx> taskCaptor;
	@Produces @Mock
	private FilterChain filterChain;
	private HAccount authenticatedUser;

	@Produces @Mock @javax.enterprise.context.ApplicationScoped
	private RateLimitManager rateLimitManager;

	@Produces @Mock
	private Session session;

	@Produces
	private IServiceLocator serviceLocator = ServiceLocator.instance();

	private String clientIP = "255.255.0.1";

	@Before
	public void beforeMethod() throws ServletException, IOException {
	when(request.getMethod()).thenReturn("GET");
	when(request.getHeader(HttpUtil.X_AUTH_TOKEN_HEADER)).thenReturn(
	API_KEY);

	//dispatcher = spy(new RestLimitingFilter(processor));

	// this way we can verify the task actually called super.invoke()
	doNothing().when(filterChain).doFilter(request, response);
	authenticatedUser = null;
	}

	@Produces
	private @Authenticated HAccount getAuthenticatedUser() {
	return authenticatedUser;
	}

	@Test
	public void willUseAuthenticatedUserApiKeyIfPresent() throws Exception {
	authenticatedUser = new HAccount();
	authenticatedUser.setApiKey("apiKeyInAuth");
	dispatcher.doFilter(request, response, filterChain);

	verify(processor).processForApiKey(same("apiKeyInAuth"), same(response),
	taskCaptor.capture());

	// verify task is calling filter chain
	RunnableEx task = taskCaptor.getValue();
	task.run();
	verify(filterChain).doFilter(request, response);
	}

	@Test
	public void willUseUsernameIfNoApiKeyButAuthenticated() throws Exception {
	authenticatedUser = new HAccount();
	authenticatedUser.setUsername("admin");

	dispatcher.doFilter(request, response, filterChain);

	verify(processor).processForUser(same("admin"), same(response),
	taskCaptor.capture());

	// verify task is calling filter chain
	RunnableEx task = taskCaptor.getValue();
	task.run();
	verify(filterChain).doFilter(request, response);
	}

	@Test
	public void willThrowErrorWithPOSTAndNoApiKey() throws Exception {
	when(request.getMethod()).thenReturn("POST");
	when(request.getHeader(HttpUtil.X_AUTH_TOKEN_HEADER)).thenReturn(
	null);
	when(request.getRequestURI()).thenReturn("/rest/in/peace");
	authenticatedUser = null;

	dispatcher.doFilter(request, response, filterChain);

	verify(response).setStatus(401);
	verify(response).getOutputStream();
	verifyZeroInteractions(processor);
	}

	@Test
	public void willProcessAnonymousWithGETAndNoApiKey() throws Exception {
	when(request.getHeader(HttpUtil.X_AUTH_TOKEN_HEADER)).thenReturn(null);
	when(request.getRequestURI()).thenReturn("/rest/in/peace");
	when(request.getRemoteAddr()).thenReturn(clientIP);
	authenticatedUser = null;

	dispatcher.doFilter(request, response, filterChain);

	verify(processor).processForAnonymousIP(same(clientIP), same(response),
	taskCaptor.capture());

	// verify task is calling filter chain
	RunnableEx task = taskCaptor.getValue();
	task.run();
	verify(filterChain).doFilter(request, response);
	}
	}