{"id":18941209,"url":"https://github.com/gingeleski/cucumber-spring-security-tests","last_synced_at":"2025-06-30T11:03:15.937Z","repository":{"id":76489620,"uuid":"123824124","full_name":"gingeleski/cucumber-spring-security-tests","owner":"gingeleski","description":"Cucumber/BDD security tests example for Java (Spring Boot API).","archived":false,"fork":false,"pushed_at":"2020-04-21T13:19:06.000Z","size":259,"stargazers_count":8,"open_issues_count":8,"forks_count":8,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-06-30T11:03:13.787Z","etag":null,"topics":["application-security","bdd-sample","bdd-tests","cucumber-jvm","devsecops","secdevops","security","security-automation","spring-boot","spring-boot-security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gingeleski.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-04T20:05:18.000Z","updated_at":"2025-05-20T03:23:09.000Z","dependencies_parsed_at":null,"dependency_job_id":"16dfd583-f1f0-4b0a-b797-377c07fef34b","html_url":"https://github.com/gingeleski/cucumber-spring-security-tests","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gingeleski/cucumber-spring-security-tests","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gingeleski%2Fcucumber-spring-security-tests","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gingeleski%2Fcucumber-spring-security-tests/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gingeleski%2Fcucumber-spring-security-tests/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gingeleski%2Fcucumber-spring-security-tests/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gingeleski","download_url":"https://codeload.github.com/gingeleski/cucumber-spring-security-tests/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gingeleski%2Fcucumber-spring-security-tests/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262762436,"owners_count":23360326,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security","bdd-sample","bdd-tests","cucumber-jvm","devsecops","secdevops","security","security-automation","spring-boot","spring-boot-security"],"created_at":"2024-11-08T12:26:40.108Z","updated_at":"2025-06-30T11:03:15.869Z","avatar_url":"https://github.com/gingeleski.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\r\n# BDD security testing example for Java\r\n\r\nCucumber/BDD security tests example for Java (Spring Boot API).\r\n\r\nThis type of work has also been called \"security-as-code\" as written security requirements drive executable test logic.\r\n\r\nThere is a fairly comprehensive toy/sample application here to allow for realistic security testing.\r\n\r\n## Quickstart\r\n\r\nGrab the code.\r\n\r\n```\r\ngit clone https://github.com/gingeleski/cucumber-spring-security-tests.git\r\ncd cucumber-spring-security-tests\r\n```\r\n\r\nTo launch the API with a root address `http://localhost:8080/` ...\r\n\r\n```\r\n# Windows\r\n.\\gradlew.bat bootRun\r\n\r\n# Linux\r\n./gradlew bootRun\r\n```\r\n\r\nTo compile and then run the test suite...\r\n\r\n```\r\n# Windows\r\n.\\gradlew.bat build\r\n\r\n# Linux\r\n./gradlew build\r\n```\r\n\r\nIf you encounter issues, see the next section for Vagrant info. That virtual machine will have all dependencies.\r\n\r\nThis project has been developed for Java 13 and very current Spring Boot dependencies (April 2020).\r\n\r\n## Vagrant\r\n\r\nAn Ubuntu 19.x virtual machine has been configured with Vagrant (2.2.7) for this project.\r\n\r\nWith Vagrant installed, you should be able to simply run `vagrant up` from the root of this project.\r\n\r\nNotable dependencies and components in this image are as follows...\r\n\r\n- Java 13 (OpenJDK 13)\r\n- Gradle 6.x\r\n- BDD-Security\r\n    - [@gingeleski fork](https://github.com/gingeleski/bdd-security)\r\n    \r\n## Development setup\r\n\r\nBuilding on the **Quickstart** and **Vagrant** subsections, a suggested workflow for developers will be described here.\r\n\r\n1. Install IntelliJ IDEA if you don't already have it. Community edition is fine.\r\n2. Install Java 13 (JDK) locally if you don't already have it. This is for IntelliJ to point to and resolve dependencies, syntax.\r\n3. Clone this project code locally.\r\n4. Initialize the virtual machine for this project with Vagrant.\r\n5. Dynamically generate the IntelliJ project files on your local machine using the Gradle wrapper.\r\n6. Open IntelliJ and use that for your development needs.\r\n7. Use this project's virtual machine to build the code and run the test suite.\r\n8. Execute version control from your local machine where you presumably have Github credentials set up already.\r\n\r\nCommands for steps 3 through 6 are as follows.\r\n\r\n```\r\ngit clone https://github.com/gingeleski/cucumber-spring-security-tests.git\r\ncd cucumber-spring-security-tests\r\n\r\nvagrant up\r\n\r\n# Windows\r\n.\\gradlew.bat idea\r\n# Linux\r\n./gradlew idea\r\n\r\n# Windows\r\n.\\gradlew.bat openIdea\r\n# Linux\r\n./gradlew openIdea\r\n```\r\n\r\nGoing into your virtual machine to do step 7 can be performed as follows.\r\n\r\n```\r\n# From your local machine, confirm your VM is running\r\nvagrant status\r\n\r\n# If it's NOT running then do...\r\nvagrant up\r\n\r\n# Go into the VM to run commands now\r\nvagrant ssh\r\n\r\n# Make working directory the mapped folder where Vagrantfile resides - so, this project folder\r\ncd /vagrant\r\n\r\n# Compile and test the code\r\ngradle build\r\n\r\n# View all other possible Gradle tasks\r\ngradle tasks\r\n```\r\n\r\n## RoomBook sample API\r\n\r\nThe toy/sample application \"RoomBook\" is a room reservation system, like corporate drones will be familiar with.\r\n\r\nThe API is documented in an OpenAPI version 3.0 spec that resides at `/openapi.json`.\r\n\r\n### Role-based access control\r\n\r\nBelow is an *overall* plan for authorization.\r\n\r\n- Office Administrator (`ROLE_ADMIN`)\r\n    - Can add rooms\r\n    - Can modify rooms\r\n    - Can delete rooms\r\n    - Can create appointments for anyone\r\n    - Can modify appointments for anyone\r\n    - Can delete appointments for anyone\r\n- HR Manager (`ROLE_HR_MGR`)\r\n    - Can change someone's access level\r\n    - Can add a user\r\n    - Can delete a user\r\n- Administrative Assistant (`ROLE_ASSISTANT`)\r\n    - Has the capabilities of a 'Regular Employee' but can also...\r\n    - Make reservations for someone else who they're authorized to assist\r\n    - Modify a reservation for that person\r\n    - Cancel a reservation for that person\r\n- Regular Employee (`ROLE_EMPLOYEE`)\r\n    - Can view a list of rooms\r\n    - Can get a room's availability\r\n    - Can make a reservation for self\r\n    - Can modify a reservation for self\r\n    - Can cancel a reservation for self\r\n    \r\nNote that the API in its current state may not support *all* of these actions.\r\n\r\n### Test data\r\n\r\n\"Canned data\" comes from `src/main/java/resources/import.sql`, directed to an H2 (in-memory) relational database.\r\n\r\nThe following test users will be set up...\r\n\r\n| Username        | Password   | Authorization    | Activated |\r\n|-----------------|------------|------------------|-----------|\r\n| `administrator` | `admin`    | `ROLE_ADMIN`     | True      |\r\n| `employee`      | `password` | `ROLE_EMPLOYEE`  | True      |\r\n| `disabled`      | `password` | `ROLE_EMPLOYEE`  | False     |\r\n| `assistant`     | `password` | `ROLE_ASSISTANT` | True      |\r\n| `hrmanager`     | `password` | `ROLE_HR_MGR`    | True      |\r\n\r\n## API calls\r\n\r\nThese detailed calls represent the current state of the API.\r\n\r\nPay particular attention to any noted TODOs, and note there may be some lacking functionality versus the access control list.\r\n\r\n- `POST /api/authenticate`\r\n    - Authenticates user\r\n        - Sets JWT good for 24 hours\r\n            - Use in `Authorization: Bearer ...` header\r\n    - Only endpoint you can hit unauthenticated\r\n    - Input\r\n        - Data transfer object (DTO) as JSON\r\n            - Make sure your request has `Content-Type: application/json`\r\n        - `username` is a string, required\r\n        - `password` is a string, required\r\n    - Output\r\n        - JSON\r\n            - Where JWT is in field `id_token`\r\n- `GET /api/rooms`\r\n    - Get list of all rooms\r\n    - Must be authenticated as at least `EMPLOYEE`\r\n    - Output\r\n        - JSON\r\n- `GET /api/rooms/{roomName}`\r\n    - Get information on the room with this room name\r\n    - Must be authenticated as at least `EMPLOYEE`\r\n    - Output\r\n        - JSON\r\n- `GET /api/rooms/{roomName}/availability`\r\n    - Returns availability for the room with this room name\r\n    - Must be authenticated as at least `EMPLOYEE`\r\n    - Input\r\n        - Optional query parameters for filtering (TODO)\r\n            - `start` is a Unix time which available time blocks must be equal or later than\r\n            - `end` is a Unix time which available time blocks must be earlier or equal to\r\n    - Output\r\n        - JSON\r\n- `POST /api/admin/clearAllRooms` (TODO)\r\n    - Deletes all rooms in the system\r\n    - Must be authenticated as `ADMIN`\r\n- `POST /api/admin/clearAllReservations` (TODO)\r\n    - Deletes all appointments for every room, from now into the future\r\n    - Must be authenticated as `ADMIN`\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgingeleski%2Fcucumber-spring-security-tests","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgingeleski%2Fcucumber-spring-security-tests","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgingeleski%2Fcucumber-spring-security-tests/lists"}