feat: Make allowed domain configurable and add unit tests

devondragon · devondragon · commit 41594608dbef · 2026-03-12T16:49:36.000-06:00
Replace hardcoded ALLOWED_DOMAIN constant with @Value-injected property
(registration.guard.allowed-domain, defaults to @example.com). Add 10
unit tests covering all code paths for DomainRegistrationGuard.
diff --git a/src/main/java/com/digitalsanctuary/spring/demo/registration/DomainRegistrationGuard.java b/src/main/java/com/digitalsanctuary/spring/demo/registration/DomainRegistrationGuard.java
@@ -2,6 +2,7 @@
 
 import java.util.Locale;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Profile;
 import org.springframework.stereotype.Component;
 
@@ -13,8 +14,8 @@
 import lombok.extern.slf4j.Slf4j;
 
 /**
- * Sample {@link RegistrationGuard} that restricts form and passwordless registration to
- * {@code @example.com} email addresses while allowing all OAuth2/OIDC registrations.
+ * Sample {@link RegistrationGuard} that restricts form and passwordless registration to a
+ * configurable email domain while allowing all OAuth2/OIDC registrations.
  *
  * <p>This guard is only active when the {@code registration-guard} Spring profile is enabled.
  * To try it out, add {@code registration-guard} to your active profiles:</p>
@@ -23,6 +24,9 @@
  * ./gradlew bootRun --args='--spring.profiles.active=local,registration-guard'
  * </pre>
  *
+ * <p>The allowed domain can be configured via the {@code registration.guard.allowed-domain}
+ * property (defaults to {@code @example.com}).</p>
+ *
  * <p>See the
  * <a href="https://github.com/devondragon/SpringUserFramework/blob/main/REGISTRATION-GUARD.md">
  * Registration Guard documentation</a> for the full SPI reference.</p>
@@ -36,7 +40,12 @@
 @Profile("registration-guard")
 public class DomainRegistrationGuard implements RegistrationGuard {
 
-    private static final String ALLOWED_DOMAIN = "@example.com";
+    private final String allowedDomain;
+
+    public DomainRegistrationGuard(
+            @Value("${registration.guard.allowed-domain:@example.com}") String allowedDomain) {
+        this.allowedDomain = allowedDomain.toLowerCase(Locale.ROOT);
+    }
 
     @Override
     public RegistrationDecision evaluate(RegistrationContext context) {
@@ -51,13 +60,13 @@ public RegistrationDecision evaluate(RegistrationContext context) {
         }
 
         // For form/passwordless, restrict to the allowed domain
-        if (context.email() != null && context.email().toLowerCase(Locale.ROOT).endsWith(ALLOWED_DOMAIN)) {
+        if (context.email() != null && context.email().toLowerCase(Locale.ROOT).endsWith(allowedDomain)) {
             log.debug("Allowing registration for approved domain: {}", context.email());
             return RegistrationDecision.allow();
         }
 
         log.info("Denied registration for: {} (domain not allowed)", context.email());
         return RegistrationDecision.deny(
-                "Registration is restricted to " + ALLOWED_DOMAIN + " email addresses.");
+                "Registration is restricted to " + allowedDomain + " email addresses.");
     }
 }
diff --git a/src/test/java/com/digitalsanctuary/spring/demo/registration/DomainRegistrationGuardTest.java b/src/test/java/com/digitalsanctuary/spring/demo/registration/DomainRegistrationGuardTest.java
@@ -0,0 +1,89 @@
+package com.digitalsanctuary.spring.demo.registration;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.junit.jupiter.api.Test;
+
+import com.digitalsanctuary.spring.user.registration.RegistrationContext;
+import com.digitalsanctuary.spring.user.registration.RegistrationDecision;
+import com.digitalsanctuary.spring.user.registration.RegistrationSource;
+
+class DomainRegistrationGuardTest {
+
+    private final DomainRegistrationGuard guard = new DomainRegistrationGuard("@example.com");
+
+    @Test
+    void formRegistrationWithAllowedDomainIsAllowed() {
+        RegistrationContext context = new RegistrationContext("user@example.com", RegistrationSource.FORM, null);
+        RegistrationDecision decision = guard.evaluate(context);
+        assertTrue(decision.allowed());
+    }
+
+    @Test
+    void formRegistrationWithDisallowedDomainIsDenied() {
+        RegistrationContext context = new RegistrationContext("user@other.com", RegistrationSource.FORM, null);
+        RegistrationDecision decision = guard.evaluate(context);
+        assertFalse(decision.allowed());
+        assertTrue(decision.reason().contains("@example.com"));
+    }
+
+    @Test
+    void passwordlessRegistrationWithAllowedDomainIsAllowed() {
+        RegistrationContext context = new RegistrationContext("user@example.com", RegistrationSource.PASSWORDLESS, null);
+        RegistrationDecision decision = guard.evaluate(context);
+        assertTrue(decision.allowed());
+    }
+
+    @Test
+    void passwordlessRegistrationWithDisallowedDomainIsDenied() {
+        RegistrationContext context = new RegistrationContext("user@other.com", RegistrationSource.PASSWORDLESS, null);
+        RegistrationDecision decision = guard.evaluate(context);
+        assertFalse(decision.allowed());
+    }
+
+    @Test
+    void oauth2RegistrationIsAlwaysAllowed() {
+        RegistrationContext context = new RegistrationContext("user@other.com", RegistrationSource.OAUTH2, "google");
+        RegistrationDecision decision = guard.evaluate(context);
+        assertTrue(decision.allowed());
+    }
+
+    @Test
+    void oidcRegistrationIsAlwaysAllowed() {
+        RegistrationContext context = new RegistrationContext("user@other.com", RegistrationSource.OIDC, "keycloak");
+        RegistrationDecision decision = guard.evaluate(context);
+        assertTrue(decision.allowed());
+    }
+
+    @Test
+    void nullEmailIsDenied() {
+        RegistrationContext context = new RegistrationContext(null, RegistrationSource.FORM, null);
+        RegistrationDecision decision = guard.evaluate(context);
+        assertFalse(decision.allowed());
+    }
+
+    @Test
+    void domainCheckIsCaseInsensitive() {
+        RegistrationContext context = new RegistrationContext("user@EXAMPLE.COM", RegistrationSource.FORM, null);
+        RegistrationDecision decision = guard.evaluate(context);
+        assertTrue(decision.allowed());
+    }
+
+    @Test
+    void customDomainIsRespected() {
+        DomainRegistrationGuard customGuard = new DomainRegistrationGuard("@mycompany.org");
+        RegistrationContext allowed = new RegistrationContext("user@mycompany.org", RegistrationSource.FORM, null);
+        RegistrationContext denied = new RegistrationContext("user@example.com", RegistrationSource.FORM, null);
+        assertTrue(customGuard.evaluate(allowed).allowed());
+        assertFalse(customGuard.evaluate(denied).allowed());
+    }
+
+    @Test
+    void configuredDomainIsCaseInsensitive() {
+        DomainRegistrationGuard upperGuard = new DomainRegistrationGuard("@EXAMPLE.COM");
+        RegistrationContext context = new RegistrationContext("user@example.com", RegistrationSource.FORM, null);
+        assertTrue(upperGuard.evaluate(context).allowed());
+    }
+}
