[DS-2646]: Workflow Endpoints now need authenticated access + tests:

WorkflowDefinition, WorkflowActions & WorkflowSteps Endpoints

dspace-server-webapp/src/main/java/org/dspace/app/rest/WorkflowDefinitionController.java

@@ -23,6 +23,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.rest.webmvc.ResourceNotFoundException;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -56,6 +57,7 @@ public class WorkflowDefinitionController {
      * @return List of collections mapped to the requested workflow
      */
     @RequestMapping(method = RequestMethod.GET, value = "/{workflowName}/collections")
+    @PreAuthorize("hasAuthority('AUTHENTICATED')")
     public Page<CollectionRest> getCollections(HttpServletRequest request, @PathVariable String workflowName,
                                                Pageable pageable) {
         if (xmlWorkflowFactory.workflowByThisNameExists(workflowName)) {

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/WorkflowActionRestRepository.java

@@ -16,6 +16,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.rest.webmvc.ResourceNotFoundException;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Component;
 
 /**
@@ -30,6 +31,7 @@ public class WorkflowActionRestRepository extends DSpaceRestRepository<WorkflowA
     protected XmlWorkflowFactory xmlWorkflowFactory;
 
     @Override
+    @PreAuthorize("hasAuthority('AUTHENTICATED')")
     public WorkflowActionRest findOne(Context context, String workflowActionName) {
         WorkflowActionConfig actionConfig = this.xmlWorkflowFactory.getActionByName(workflowActionName);
         if (actionConfig != null) {
@@ -41,6 +43,7 @@ public class WorkflowActionRestRepository extends DSpaceRestRepository<WorkflowA
     }
 
     @Override
+    @PreAuthorize("hasAuthority('AUTHENTICATED')")
     public Page<WorkflowActionRest> findAll(Context context, Pageable pageable) {
         throw new RepositoryMethodNotImplementedException(WorkflowActionRest.NAME, "findAll");
     }

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/WorkflowDefinitionRestRepository.java

@@ -24,6 +24,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.rest.webmvc.ResourceNotFoundException;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Component;
 
 /**
@@ -41,6 +42,7 @@ public class WorkflowDefinitionRestRepository extends DSpaceRestRepository<Workf
     private CollectionService collectionService;
 
     @Override
+    @PreAuthorize("hasAuthority('AUTHENTICATED')")
     public WorkflowDefinitionRest findOne(Context context, String workflowName) {
         if (xmlWorkflowFactory.workflowByThisNameExists(workflowName)) {
             try {
@@ -56,6 +58,7 @@ public class WorkflowDefinitionRestRepository extends DSpaceRestRepository<Workf
     }
 
     @Override
+    @PreAuthorize("hasAuthority('AUTHENTICATED')")
     public Page<WorkflowDefinitionRest> findAll(Context context, Pageable pageable) {
         List<Workflow> workflows = xmlWorkflowFactory.getAllConfiguredWorkflows();
         return converter.toRestPage(utils.getPage(workflows, pageable), utils.obtainProjection(true));
@@ -69,6 +72,7 @@ public class WorkflowDefinitionRestRepository extends DSpaceRestRepository<Workf
      * @return the workflow definition for this collection
      */
     @SearchRestMethod(name = "findByCollection")
+    @PreAuthorize("hasAuthority('AUTHENTICATED')")
     public WorkflowDefinitionRest findByCollection(@Parameter(value = "uuid") UUID collectionId) throws SQLException {
         Context context = obtainContext();
         Collection collectionFromUuid = collectionService.find(context, collectionId);

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/WorkflowStepRestRepository.java

@@ -16,6 +16,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.rest.webmvc.ResourceNotFoundException;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Component;
 
 /**
@@ -30,6 +31,7 @@ public class WorkflowStepRestRepository extends DSpaceRestRepository<WorkflowSte
     protected XmlWorkflowFactory xmlWorkflowFactory;
 
     @Override
+    @PreAuthorize("hasAuthority('AUTHENTICATED')")
     public WorkflowStepRest findOne(Context context, String workflowStepName) {
         Step step = this.xmlWorkflowFactory.getStepByName(workflowStepName);
         if (step != null) {
@@ -41,6 +43,7 @@ public class WorkflowStepRestRepository extends DSpaceRestRepository<WorkflowSte
     }
 
     @Override
+    @PreAuthorize("hasAuthority('AUTHENTICATED')")
     public Page<WorkflowStepRest> findAll(Context context, Pageable pageable) {
         throw new RepositoryMethodNotImplementedException(WorkflowStepRest.NAME, "findAll");
     }

dspace-server-webapp/src/test/java/org/dspace/app/rest/WorkflowActionRestRepositoryIT.java

@@ -33,54 +33,96 @@ public class WorkflowActionRestRepositoryIT extends AbstractControllerIntegratio
     private XmlWorkflowFactory xmlWorkflowFactory = XmlWorkflowServiceFactory.getInstance().getWorkflowFactory();
 
     private static final String WORKFLOW_ACTIONS_ENDPOINT
-            = "/api/" + WorkflowActionRest.CATEGORY + "/" + WorkflowActionRest.NAME_PLURAL;
+        = "/api/" + WorkflowActionRest.CATEGORY + "/" + WorkflowActionRest.NAME_PLURAL;
 
     @Test
     public void getAllWorkflowActions_NonImplementedEndpoint() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
+        //When we call this facets endpoint
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT))
+            //We expect a 405 Method not allowed status
+            .andExpect(status().isMethodNotAllowed());
+    }
+
+    @Test
+    public void getAllWorkflowActions_NonImplementedEndpoint_NonValidToken() throws Exception {
+        String token = "nonValidToken";
+        //When we call this facets endpoint
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT))
+            //We expect a 403 Forbidden status
+            .andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void getAllWorkflowActions_NonImplementedEndpoint_NoToken() throws Exception {
         //When we call this facets endpoint
         getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT))
-                //We expect a 405 Method not allowed status
+            //We expect a 401 Unauthorized
-                .andExpect(status().isMethodNotAllowed());
+            .andExpect(status().isUnauthorized());
     }
 
     @Test
     public void getWorkflowActionByName_NonExistentWorkflowAction() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         String nameNonExistentWorkflowActionName = "TestNameNonExistentWorkflowAction9999";
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameNonExistentWorkflowActionName))
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameNonExistentWorkflowActionName))
-                //We expect a 404 Not Found status
+            //We expect a 404 Not Found status
-                .andExpect(status().isNotFound());
+            .andExpect(status().isNotFound());
     }
 
     @Test
     public void getWorkflowActionByName_ExistentWithOptions_editaction() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         String nameActionWithOptions = "editaction";
         WorkflowActionConfig existentWorkflow = xmlWorkflowFactory.getActionByName(nameActionWithOptions);
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameActionWithOptions))
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameActionWithOptions))
-                //We expect a 200 is ok status
+            //We expect a 200 is ok status
-                .andExpect(status().isOk())
+            .andExpect(status().isOk())
-                // has options
+            // has options
-                .andExpect(jsonPath("$.options", not(empty())))
+            .andExpect(jsonPath("$.options", not(empty())))
-                //Matches expected corresponding rest action values
+            //Matches expected corresponding rest action values
-                .andExpect(jsonPath("$", Matchers.is(
+            .andExpect(jsonPath("$", Matchers.is(
-                        WorkflowActionMatcher.matchWorkflowActionEntry(existentWorkflow)
+                WorkflowActionMatcher.matchWorkflowActionEntry(existentWorkflow)
-                )));
+            )));
     }
 
     @Test
     public void getWorkflowActionByName_ExistentWithoutOptions_claimaction() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         String nameActionWithoutOptions = "claimaction";
         WorkflowActionConfig existentWorkflowNoOptions = xmlWorkflowFactory.getActionByName(nameActionWithoutOptions);
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameActionWithoutOptions))
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameActionWithoutOptions))
-                //We expect a 200 is ok status
+            //We expect a 200 is ok status
-                .andExpect(status().isOk())
+            .andExpect(status().isOk())
-                // has no options
+            // has no options
-                .andExpect(jsonPath("$.options", empty()))
+            .andExpect(jsonPath("$.options", empty()))
-                //Matches expected corresponding rest action values
+            //Matches expected corresponding rest action values
-                .andExpect(jsonPath("$", Matchers.is(
+            .andExpect(jsonPath("$", Matchers.is(
-                        WorkflowActionMatcher.matchWorkflowActionEntry(existentWorkflowNoOptions)
+                WorkflowActionMatcher.matchWorkflowActionEntry(existentWorkflowNoOptions)
-                )));
+            )));
+    }
+
+    @Test
+    public void getWorkflowActionByName_ExistentWithOptions_NonValidToken() throws Exception {
+        String token = "nonValidToken";
+        String nameActionWithOptions = "editaction";
+        WorkflowActionConfig existentWorkflow = xmlWorkflowFactory.getActionByName(nameActionWithOptions);
+        //When we call this facets endpoint
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameActionWithOptions))
+            //We expect a 403 Forbidden status
+            .andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void getWorkflowActionByName_ExistentWithOptions_NoToken() throws Exception {
+        String nameActionWithOptions = "editaction";
+        WorkflowActionConfig existentWorkflow = xmlWorkflowFactory.getActionByName(nameActionWithOptions);
+        //When we call this facets endpoint
+        getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameActionWithOptions))
+            //We expect a 401 Unauthorized
+            .andExpect(status().isUnauthorized());
     }
 }

dspace-server-webapp/src/test/java/org/dspace/app/rest/WorkflowDefinitionRestRepositoryIT.java

@@ -43,92 +43,114 @@ public class WorkflowDefinitionRestRepositoryIT extends AbstractControllerIntegr
     private XmlWorkflowFactory xmlWorkflowFactory = XmlWorkflowServiceFactory.getInstance().getWorkflowFactory();
 
     private static final String WORKFLOW_DEFINITIONS_ENDPOINT
-            = "/api/" + WorkflowDefinitionRest.CATEGORY + "/" + WorkflowDefinitionRest.NAME_PLURAL;
+        = "/api/" + WorkflowDefinitionRest.CATEGORY + "/" + WorkflowDefinitionRest.NAME_PLURAL;
 
     @Test
     public void getAllWorkflowDefinitionsEndpoint() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         List<Workflow> allConfiguredWorkflows = xmlWorkflowFactory.getAllConfiguredWorkflows();
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT))
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT))
-                //We expect a 200 OK status
+            //We expect a 200 OK status
-                .andExpect(status().isOk())
+            .andExpect(status().isOk())
-                //Number of total workflows is equals to number of configured workflows
+            //Number of total workflows is equals to number of configured workflows
-                .andExpect(jsonPath("$.page.totalElements", is(allConfiguredWorkflows.size())))
+            .andExpect(jsonPath("$.page.totalElements", is(allConfiguredWorkflows.size())))
-                //There needs to be a self link to this endpoint
+            //There needs to be a self link to this endpoint
-                .andExpect(jsonPath("$._links.self.href", containsString(WORKFLOW_DEFINITIONS_ENDPOINT)));
+            .andExpect(jsonPath("$._links.self.href", containsString(WORKFLOW_DEFINITIONS_ENDPOINT)));
     }
 
     @Test
     public void getAllWorkflowDefinitionsEndpoint_Pagination_Size1() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         List<Workflow> allConfiguredWorkflows = xmlWorkflowFactory.getAllConfiguredWorkflows();
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT)
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT)
-                .param("size", "1"))
+            .param("size", "1"))
-                //We expect a 200 OK status
+            //We expect a 200 OK status
-                .andExpect(status().isOk())
+            .andExpect(status().isOk())
-                //Number of total workflows is equals to number of configured workflows
+            //Number of total workflows is equals to number of configured workflows
-                .andExpect(jsonPath("$.page.totalElements", is(allConfiguredWorkflows.size())))
+            .andExpect(jsonPath("$.page.totalElements", is(allConfiguredWorkflows.size())))
-                //Page size is 1
+            //Page size is 1
-                .andExpect(jsonPath("$.page.size", is(1)))
+            .andExpect(jsonPath("$.page.size", is(1)))
-                //Page nr is 1
+            //Page nr is 1
-                .andExpect(jsonPath("$.page.number", is(0)))
+            .andExpect(jsonPath("$.page.number", is(0)))
-                //Contains only the first configured workflow
+            //Contains only the first configured workflow
-                .andExpect(jsonPath("$._embedded.workflowDefinitionResources", Matchers.contains(
+            .andExpect(jsonPath("$._embedded.workflowDefinitionResources", Matchers.contains(
-                        WorkflowDefinitionMatcher.matchWorkflowDefinitionEntry(allConfiguredWorkflows.get(0))
+                WorkflowDefinitionMatcher.matchWorkflowDefinitionEntry(allConfiguredWorkflows.get(0))
-                )))
+            )))
-                //Doesn't contain the other workflows
+            //Doesn't contain the other workflows
-                .andExpect(jsonPath("$._embedded.workflowDefinitionResources", Matchers.not(
+            .andExpect(jsonPath("$._embedded.workflowDefinitionResources", Matchers.not(
-                        Matchers.contains(
+                Matchers.contains(
-                                WorkflowDefinitionMatcher.matchWorkflowDefinitionEntry(allConfiguredWorkflows.get(1))
+                    WorkflowDefinitionMatcher.matchWorkflowDefinitionEntry(allConfiguredWorkflows.get(1))
-                        )
+                )
-                )));
+            )));
     }
 
     @Test
     public void getAllWorkflowDefinitionsEndpoint_Pagination_Size1_Page1() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         List<Workflow> allConfiguredWorkflows = xmlWorkflowFactory.getAllConfiguredWorkflows();
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT)
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT)
-                .param("size", "1")
+            .param("size", "1")
-                .param("page", "1"))
+            .param("page", "1"))
-                //We expect a 200 OK status
+            //We expect a 200 OK status
-                .andExpect(status().isOk())
+            .andExpect(status().isOk())
-                //Number of total workflows is equals to number of configured workflows
+            //Number of total workflows is equals to number of configured workflows
-                .andExpect(jsonPath("$.page.totalElements", is(allConfiguredWorkflows.size())))
+            .andExpect(jsonPath("$.page.totalElements", is(allConfiguredWorkflows.size())))
-                //Page size is 1
+            //Page size is 1
-                .andExpect(jsonPath("$.page.size", is(1)))
+            .andExpect(jsonPath("$.page.size", is(1)))
-                //Page nr is 2
+            //Page nr is 2
-                .andExpect(jsonPath("$.page.number", is(1)))
+            .andExpect(jsonPath("$.page.number", is(1)))
-                //Contains only the second configured workflow
+            //Contains only the second configured workflow
-                .andExpect(jsonPath("$._embedded.workflowDefinitionResources", Matchers.contains(
+            .andExpect(jsonPath("$._embedded.workflowDefinitionResources", Matchers.contains(
-                        WorkflowDefinitionMatcher.matchWorkflowDefinitionEntry(allConfiguredWorkflows.get(1))
+                WorkflowDefinitionMatcher.matchWorkflowDefinitionEntry(allConfiguredWorkflows.get(1))
-                )))
+            )))
-                //Doesn't contain 1st configured workflow
+            //Doesn't contain 1st configured workflow
-                .andExpect(jsonPath("$._embedded.workflowDefinitionResources", Matchers.not(
+            .andExpect(jsonPath("$._embedded.workflowDefinitionResources", Matchers.not(
-                        Matchers.contains(
+                Matchers.contains(
-                                WorkflowDefinitionMatcher.matchWorkflowDefinitionEntry(allConfiguredWorkflows.get(0))
+                    WorkflowDefinitionMatcher.matchWorkflowDefinitionEntry(allConfiguredWorkflows.get(0))
-                        )
+                )
-                )));
+            )));
+    }
+
+    @Test
+    public void getAllWorkflowDefinitionsEndpoint_NonValidToken() throws Exception {
+        String token = "NonValidToken";
+        //When we call this facets endpoint
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT))
+            //We expect a 403 Forbidden status
+            .andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void getAllWorkflowDefinitionsEndpoint_NoToken() throws Exception {
+        //When we call this facets endpoint
+        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT))
+            //We expect a 401 Unauthorized
+            .andExpect(status().isUnauthorized());
     }
 
     @Test
     public void getWorkflowDefinitionByName_DefaultWorkflow() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         Workflow defaultWorkflow = xmlWorkflowFactory.getDefaultWorkflow();
         String workflowName = defaultWorkflow.getID();
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + workflowName))
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + workflowName))
-                //We expect a 200 OK status
+            //We expect a 200 OK status
-                .andExpect(status().isOk())
+            .andExpect(status().isOk())
-                //There needs to be a self link to this endpoint
+            //There needs to be a self link to this endpoint
-                .andExpect(jsonPath("$._links.self.href", containsString(WORKFLOW_DEFINITIONS_ENDPOINT)))
+            .andExpect(jsonPath("$._links.self.href", containsString(WORKFLOW_DEFINITIONS_ENDPOINT)))
-                // its name is default
+            // its name is default
-                .andExpect(jsonPath("$.name", equalToIgnoringCase(workflowName)))
+            .andExpect(jsonPath("$.name", equalToIgnoringCase(workflowName)))
-                // is default
+            // is default
-                .andExpect(jsonPath("$.isDefault", is(true)));
+            .andExpect(jsonPath("$.isDefault", is(true)));
     }
 
     @Test
     public void getWorkflowDefinitionByName_NonDefaultWorkflow() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         Workflow defaultWorkflow = xmlWorkflowFactory.getDefaultWorkflow();
         List<Workflow> allConfiguredWorkflows = xmlWorkflowFactory.getAllConfiguredWorkflows();
         String firstNonDefaultWorkflowName = "";
@@ -139,106 +161,133 @@ public class WorkflowDefinitionRestRepositoryIT extends AbstractControllerIntegr
         }
         if (StringUtils.isNotBlank(firstNonDefaultWorkflowName)) {
             //When we call this facets endpoint
-            getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + firstNonDefaultWorkflowName))
+            getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + firstNonDefaultWorkflowName))
-                    //We expect a 200 OK status
+                //We expect a 200 OK status
-                    .andExpect(status().isOk())
+                .andExpect(status().isOk())
-                    //There needs to be a self link to this endpoint
+                //There needs to be a self link to this endpoint
-                    .andExpect(jsonPath("$._links.self.href", containsString(WORKFLOW_DEFINITIONS_ENDPOINT)))
+                .andExpect(jsonPath("$._links.self.href", containsString(WORKFLOW_DEFINITIONS_ENDPOINT)))
-                    // its name is name of non-default workflow
+                // its name is name of non-default workflow
-                    .andExpect(jsonPath("$.name", equalToIgnoringCase(firstNonDefaultWorkflowName)))
+                .andExpect(jsonPath("$.name", equalToIgnoringCase(firstNonDefaultWorkflowName)))
-                    // is not default
+                // is not default
-                    .andExpect(jsonPath("$.isDefault", is(false)));
+                .andExpect(jsonPath("$.isDefault", is(false)));
         }
     }
 
     @Test
     public void getWorkflowDefinitionByName_NonExistentWorkflow() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         String workflowName = "TestNameNonExistentWorkflow9999";
         //When we call this facets endpoint
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + workflowName))
+            //We expect a 404 Not Found status
+            .andExpect(status().isNotFound());
+    }
+
+    @Test
+    public void getWorkflowDefinitionByName_DefaultWorkflow_NonValidToken() throws Exception {
+        String token = "UnvalidToken";
+        Workflow defaultWorkflow = xmlWorkflowFactory.getDefaultWorkflow();
+        String workflowName = defaultWorkflow.getID();
+        //When we call this facets endpoint
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + workflowName))
+            //We expect a 403 Forbidden status
+            .andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void getWorkflowDefinitionByName_DefaultWorkflow_NoToken() throws Exception {
+        Workflow defaultWorkflow = xmlWorkflowFactory.getDefaultWorkflow();
+        String workflowName = defaultWorkflow.getID();
+        //When we call this facets endpoint
         getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + workflowName))
-                //We expect a 404 Not Found status
+            //We expect a 401 Unauthorized
-                .andExpect(status().isNotFound());
+            .andExpect(status().isUnauthorized());
     }
 
     @Test
     public void getWorkflowDefinitionByCollectionId_ExistentCollection() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         //We turn off the authorization system in order to create the structure as defined below
         context.turnOffAuthorisationSystem();
         //** GIVEN **
         //1. A community-collection structure with one parent community with sub-community and one collection.
         parentCommunity = CommunityBuilder.createCommunity(context)
-                .withName("Parent Community")
+            .withName("Parent Community")
-                .build();
+            .build();
         Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
-                .withName("Sub Community")
+            .withName("Sub Community")
-                .build();
+            .build();
         Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
         context.restoreAuthSystemState();
 
         Workflow workflowForThisCollection = xmlWorkflowFactory.getWorkflow(col1);
 
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/search/findByCollection?uuid=" + col1.getID()))
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/search/findByCollection?uuid=" + col1.getID()))
-                //We expect a 200 OK status
+            //We expect a 200 OK status
-                .andExpect(status().isOk())
+            .andExpect(status().isOk())
-                // its name is name of corresponding workflow
+            // its name is name of corresponding workflow
-                .andExpect(jsonPath("$.name", equalToIgnoringCase(workflowForThisCollection.getID())));
+            .andExpect(jsonPath("$.name", equalToIgnoringCase(workflowForThisCollection.getID())));
     }
 
     @Test
     public void getWorkflowDefinitionByCollectionId_nonValidUUID() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         String nonValidUUID = "TestNonValidUUID";
 
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/search/findByCollection?uuid=" + nonValidUUID))
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/search/findByCollection?uuid=" + nonValidUUID))
-                //We expect a 422 Unprocessable Entity status
+            //We expect a 422 Unprocessable Entity status
-                .andExpect(status().is(422));
+            .andExpect(status().is(422));
     }
 
     @Test
     public void getWorkflowDefinitionByCollectionId_nonExistentCollection() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         UUID nonExistentCollectionUUID = UUID.randomUUID();
 
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/search/findByCollection?uuid="
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/search/findByCollection?uuid="
-                + nonExistentCollectionUUID))
+            + nonExistentCollectionUUID))
-                //We expect a 404 Not Found status
+            //We expect a 404 Not Found status
-                .andExpect(status().isNotFound());
+            .andExpect(status().isNotFound());
     }
 
     @Test
     public void getCollectionsOfWorkflowByName_DefaultWorkflow_AllNonMappedCollections() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         Workflow defaultWorkflow = xmlWorkflowFactory.getDefaultWorkflow();
         List<Collection> allNonMappedCollections = xmlWorkflowFactory.getAllNonMappedCollectionsHandles(context);
 
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + defaultWorkflow.getID()
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + defaultWorkflow.getID()
-                + "/collections"))
+            + "/collections"))
-                //We expect a 200 OK status
+            //We expect a 200 OK status
-                .andExpect(status().isOk())
+            .andExpect(status().isOk())
-                //Number of total workflows is equals to number of non-mapped collections
+            //Number of total workflows is equals to number of non-mapped collections
-                .andExpect(jsonPath("$.totalElements", is(allNonMappedCollections.size())));
+            .andExpect(jsonPath("$.totalElements", is(allNonMappedCollections.size())));
     }
 
     @Test
     public void getCollectionsOfWorkflowByName_DefaultWorkflow_AllNonMappedCollections_Paginated_Size1()
-            throws Exception {
+        throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         //We turn off the authorization system in order to create the structure as defined below
         context.turnOffAuthorisationSystem();
         //** GIVEN **
         //1. A community-collection structure with one parent community with sub-community and two collections.
         parentCommunity = CommunityBuilder.createCommunity(context)
-                .withName("Parent Community")
+            .withName("Parent Community")
-                .build();
+            .build();
         Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
-                .withName("Sub Community")
+            .withName("Sub Community")
-                .build();
+            .build();
         Collection col1 = CollectionBuilder.createCollection(context, child1)
-                .withName("Collection 1")
+            .withName("Collection 1")
-                .build();
+            .build();
         Collection col2 = CollectionBuilder.createCollection(context, child1, "123456789/non-mapped-collection")
-                .withName("Collection 2")
+            .withName("Collection 2")
-                .build();
+            .build();
         context.restoreAuthSystemState();
 
         Workflow defaultWorkflow = xmlWorkflowFactory.getDefaultWorkflow();
@@ -248,40 +297,41 @@ public class WorkflowDefinitionRestRepositoryIT extends AbstractControllerIntegr
             Collection firstNonMappedCollection = allNonMappedCollections.get(0);
 
             //When we call this facets endpoint
-            getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + defaultWorkflow.getID()
+            getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + defaultWorkflow.getID()
-                    + "/collections")
+                + "/collections")
-                    .param("size", "1"))
+                .param("size", "1"))
-                    //We expect a 200 OK status
+                //We expect a 200 OK status
-                    .andExpect(status().isOk())
+                .andExpect(status().isOk())
-                    //Number of total workflows is equals to number of configured workflows
+                //Number of total workflows is equals to number of configured workflows
-                    .andExpect(jsonPath("$.totalElements", is(allNonMappedCollections.size())))
+                .andExpect(jsonPath("$.totalElements", is(allNonMappedCollections.size())))
-                    //Page size is 1
+                //Page size is 1
-                    .andExpect(jsonPath("$.size", is(1)))
+                .andExpect(jsonPath("$.size", is(1)))
-                    //Page nr is 1
+                //Page nr is 1
-                    .andExpect(jsonPath("$.number", is(0)))
+                .andExpect(jsonPath("$.number", is(0)))
-                    //Contains only the first non-mapped collection
+                //Contains only the first non-mapped collection
-                    .andExpect(jsonPath("$.content", Matchers.contains(
+                .andExpect(jsonPath("$.content", Matchers.contains(
-                            WorkflowDefinitionMatcher.matchCollectionEntry(firstNonMappedCollection.getName(),
+                    WorkflowDefinitionMatcher.matchCollectionEntry(firstNonMappedCollection.getName(),
-                                    firstNonMappedCollection.getID(), firstNonMappedCollection.getHandle())
+                        firstNonMappedCollection.getID(), firstNonMappedCollection.getHandle())
-                    )));
+                )));
         }
     }
 
     @Test
     public void getCollectionsOfWorkflowByName_NonDefaultWorkflow() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         //We turn off the authorization system in order to create the structure as defined below
         context.turnOffAuthorisationSystem();
         //** GIVEN **
         //1. A community-collection structure with one parent community with sub-community and one collection.
         parentCommunity = CommunityBuilder.createCommunity(context)
-                .withName("Parent Community")
+            .withName("Parent Community")
-                .build();
+            .build();
         Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
-                .withName("Sub Community")
+            .withName("Sub Community")
-                .build();
+            .build();
         Collection col1 = CollectionBuilder.createCollection(context, child1, "123456789/workflow-test-1")
-                .withName("Collection 1")
+            .withName("Collection 1")
-                .build();
+            .build();
         // until handle 123456789/5 used in example in workflow.xml (if uncommented)
         context.restoreAuthSystemState();
 
@@ -296,47 +346,73 @@ public class WorkflowDefinitionRestRepositoryIT extends AbstractControllerIntegr
 
         if (StringUtils.isNotBlank(firstNonDefaultWorkflowName)) {
             List<Collection> mappedCollections
-                    = xmlWorkflowFactory.getCollectionHandlesMappedToWorklow(context, firstNonDefaultWorkflowName);
+                = xmlWorkflowFactory.getCollectionHandlesMappedToWorklow(context, firstNonDefaultWorkflowName);
             //When we call this facets endpoint
             if (mappedCollections.size() > 0) {
                 //returns array of collection jsons that are mapped to given workflow
                 //When we call this facets endpoint
                 Collection firstMappedCollection = mappedCollections.get(0);
-                getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + firstNonDefaultWorkflowName
+                getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + firstNonDefaultWorkflowName
-                        + "/collections")
+                    + "/collections")
-                        .param("size", "1"))
+                    .param("size", "1"))
-                        //We expect a 200 OK status
+                    //We expect a 200 OK status
-                        .andExpect(status().isOk())
+                    .andExpect(status().isOk())
-                        //Number of total workflows is equals to number of configured workflows
+                    //Number of total workflows is equals to number of configured workflows
-                        .andExpect(jsonPath("$.totalElements", is(mappedCollections.size())))
+                    .andExpect(jsonPath("$.totalElements", is(mappedCollections.size())))
-                        //Page size is 1
+                    //Page size is 1
-                        .andExpect(jsonPath("$.size", is(1)))
+                    .andExpect(jsonPath("$.size", is(1)))
-                        //Page nr is 1
+                    //Page nr is 1
-                        .andExpect(jsonPath("$.number", is(0)))
+                    .andExpect(jsonPath("$.number", is(0)))
-                        //Contains only the first mapped collection
+                    //Contains only the first mapped collection
-                        .andExpect(jsonPath("$.content", Matchers.contains(
+                    .andExpect(jsonPath("$.content", Matchers.contains(
-                                WorkflowDefinitionMatcher.matchCollectionEntry(firstMappedCollection.getName(),
+                        WorkflowDefinitionMatcher.matchCollectionEntry(firstMappedCollection.getName(),
-                                        firstMappedCollection.getID(), firstMappedCollection.getHandle())
+                            firstMappedCollection.getID(), firstMappedCollection.getHandle())
-                        )));
+                    )));
             } else {
                 //no collections mapped to this workflow
                 getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/"
-                        + firstNonDefaultWorkflowName + "/collections"))
+                    + firstNonDefaultWorkflowName + "/collections"))
-                        //We expect a 200 OK status
+                    //We expect a 200 OK status
-                        .andExpect(status().isOk())
+                    .andExpect(status().isOk())
-                        //results in empty list
+                    //results in empty list
-                        .andExpect(jsonPath("$.content", empty()));
+                    .andExpect(jsonPath("$.content", empty()));
             }
         }
     }
 
     @Test
     public void getCollectionsOfWorkflowByName_NonExistentWorkflow() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         String workflowName = "TestNameNonExistentWorkflow9999";
 
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + workflowName + "/collections"))
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + workflowName + "/collections"))
-                //We expect a 404 Not Found status
+            //We expect a 404 Not Found status
-                .andExpect(status().isNotFound());
+            .andExpect(status().isNotFound());
+    }
+
+    @Test
+    public void getCollectionsOfWorkflowByName_DefaultWorkflow_NoValidToken() throws Exception {
+        String token = "NonValidToken";
+        Workflow defaultWorkflow = xmlWorkflowFactory.getDefaultWorkflow();
+        List<Collection> allNonMappedCollections = xmlWorkflowFactory.getAllNonMappedCollectionsHandles(context);
+
+        //When we call this facets endpoint
+        getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + defaultWorkflow.getID()
+            + "/collections"))
+            //We expect a 403 Forbidden status
+            .andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void getCollectionsOfWorkflowByName_DefaultWorkflow_NoToken() throws Exception {
+        Workflow defaultWorkflow = xmlWorkflowFactory.getDefaultWorkflow();
+        List<Collection> allNonMappedCollections = xmlWorkflowFactory.getAllNonMappedCollectionsHandles(context);
+
+        //When we call this facets endpoint
+        getClient().perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + defaultWorkflow.getID()
+            + "/collections"))
+            //We expect a 401 Unauthorized
+            .andExpect(status().isUnauthorized());
     }
 }

dspace-server-webapp/src/test/java/org/dspace/app/rest/WorkflowStepRestRepositoryIT.java

@@ -23,6 +23,7 @@ import org.junit.Test;
 
 /**
  * Integration tests for the {@link WorkflowStepRestRepository} controlled endpoints
+ *
  * @author Maria Verdonck (Atmire) on 13/01/2020
  */
 public class WorkflowStepRestRepositoryIT extends AbstractControllerIntegrationTest {
@@ -34,27 +35,47 @@ public class WorkflowStepRestRepositoryIT extends AbstractControllerIntegrationT
 
     @Test
     public void getAllWorkflowSteps_NonImplementedEndpoint() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT))
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT))
             //We expect a 405 Method not allowed status
             .andExpect(status().isMethodNotAllowed());
     }
 
+    @Test
+    public void getAllWorkflowSteps_NonImplementedEndpoint_NonValidToken() throws Exception {
+        String token = "NonValidToken";
+        //When we call this facets endpoint
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT))
+            //We expect a 403 Forbidden status
+            .andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void getAllWorkflowSteps_NonImplementedEndpoint_NoToken() throws Exception {
+        //When we call this facets endpoint
+        getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT))
+            //We expect a 401 Unauthorized
+            .andExpect(status().isUnauthorized());
+    }
+
     @Test
     public void getWorkflowStepByName_NonExistentWorkflowStep() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         String nameNonExistentWorkflowActionName = "TestNameNonExistentWorkflowStep9999";
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameNonExistentWorkflowActionName))
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameNonExistentWorkflowActionName))
             //We expect a 404 Not Found status
             .andExpect(status().isNotFound());
     }
 
     @Test
     public void getWorkflowStepByName_ExistentStep_reviewstep() throws Exception {
+        String token = getAuthToken(eperson.getEmail(), password);
         String nameStep = "reviewstep";
         Step existentStep = xmlWorkflowFactory.getStepByName(nameStep);
         //When we call this facets endpoint
-        getClient().perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameStep))
+        getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameStep))
             //We expect a 200 is ok status
             .andExpect(status().isOk())
             //Matches expected step