test: adapt relocated framework integration tests to 4.4.0 behavior

The integration tests under com.digitalsanctuary.spring.user.* were moved
from the library into this demo. 4.4.0's security hardening changed four
behaviors they assert against; this updates them to the new, correct
behavior (full suite green again: 301 tests, 0 failures).

Test isolation (application-test.properties):
- Switch the H2 URL to jdbc:h2:mem:testdb-${random.uuid} and ddl-auto to
  create-drop so each Spring context gets its own database. 4.4.0 made
  registerNewUserAccount run with Propagation.NOT_SUPPORTED and the
  LoginAttemptService mutations @transactional, so they COMMIT in their own
  transactions and survive a test's @transactional rollback. With the old
  shared db name those committed rows leaked across classes and collided
  with other classes' deleteAll()/registration (UserAlreadyExistException,
  FK_VERIFY_USER violations). Mirrors the library's own test-isolation fix.

Behavior changes adapted:
- Account status enforced on load (LoginHelperService.assertAccountUsable):
  DSUserDetailsService now throws LockedException/DisabledException for
  locked/disabled accounts. DSUserDetailsServiceIntegrationTest now asserts
  those exceptions, and pins accountLockoutDuration so the auto-unlock case
  is deterministic.
- registerNewUserAccount commits outside the test transaction:
  AccountLockoutIntegrationTest seeds its user via the repository (in-tx,
  rolls back) instead of the registration service; UserApiIntegrationTestFixed
  cleans up the committed user in a REQUIRES_NEW transaction before/after
  each test so registrations don't collide.
- Role names are now granted as authorities (for hasRole() checks):
  AuthorityServiceIntegrationTest expects the ROLE_* names alongside the
  privileges.
- RegistrationListener skips the verification email for already-enabled
  users: EventSystemIntegrationTest builds its user as unverified so the
  registration-email events still fire.

Author: devondragon

src/test/java/com/digitalsanctuary/spring/user/api/UserApiIntegrationTestFixed.java

@@ -5,6 +5,7 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
@@ -16,12 +17,16 @@
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.transaction.PlatformTransactionManager;
+import org.springframework.transaction.TransactionDefinition;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.transaction.support.TransactionTemplate;
 import com.digitalsanctuary.spring.demo.UserDemoApplication;
 import com.digitalsanctuary.spring.user.dto.UserDto;
 import com.digitalsanctuary.spring.user.mail.MailService;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
+import com.digitalsanctuary.spring.user.persistence.repository.VerificationTokenRepository;
 import com.digitalsanctuary.spring.user.service.UserService;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.persistence.EntityManager;
@@ -50,24 +55,61 @@ class UserApiIntegrationTestFixed {
     @Autowired
     private UserService userService;
 
+    @Autowired
+    private VerificationTokenRepository verificationTokenRepository;
+
+    @Autowired
+    private PlatformTransactionManager transactionManager;
+
     @MockitoBean
     private MailService mailService;
 
     @PersistenceContext
     private EntityManager entityManager;
 
+    private static final String TEST_EMAIL = "test@example.com";
+
     private UserDto testUserDto;
 
     @BeforeEach
     void setUp() {
+        // Start from a clean slate. Registration (via the API and via UserService.registerNewUserAccount)
+        // commits the new user in its own transaction as of 4.4.0 — it does NOT roll back with the test's
+        // @Transactional. Without a committed cleanup, the user persisted by one test method collides with
+        // the next (UserAlreadyExistException / 409 Conflict).
+        deleteTestUserCommitted();
+
         testUserDto = new UserDto();
         testUserDto.setFirstName("Test");
         testUserDto.setLastName("User");
-        testUserDto.setEmail("test@example.com");
+        testUserDto.setEmail(TEST_EMAIL);
         testUserDto.setPassword("SecurePass123!");
         testUserDto.setMatchingPassword("SecurePass123!");
     }
 
+    @AfterEach
+    void tearDown() {
+        // Remove the user committed by this test so it cannot leak into other tests.
+        deleteTestUserCommitted();
+    }
+
+    /**
+     * Deletes the test user (and any verification token) in its own committed transaction. A
+     * REQUIRES_NEW transaction is required because the class is {@code @Transactional}: a plain delete here
+     * would roll back with the test and never actually remove the committed registration row.
+     */
+    private void deleteTestUserCommitted() {
+        TransactionTemplate tx = new TransactionTemplate(transactionManager);
+        tx.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW);
+        tx.executeWithoutResult(status -> {
+            User existing = userRepository.findByEmail(TEST_EMAIL);
+            if (existing != null) {
+                verificationTokenRepository.deleteByUser(existing);
+                userRepository.delete(existing);
+            }
+        });
+    }
+
     @Test
     @DisplayName("Should successfully register new user")
     void shouldRegisterNewUser() throws Exception {

src/test/java/com/digitalsanctuary/spring/user/integration/AuthorityServiceIntegrationTest.java

@@ -139,9 +139,9 @@ void getAuthoritiesFromUser_persistedUser_loadsAuthoritiesWithLazyLoading() {
                 Collection<? extends GrantedAuthority> authorities = authorityService
                                 .getAuthoritiesFromUser(fetchedUser);
 
-                // Then
-                assertThat(authorities).hasSize(3).extracting(GrantedAuthority::getAuthority).containsExactlyInAnyOrder(
-                                "LOGIN_PRIVILEGE",
+                // Then - as of 4.4.0 the role name itself is also granted (needed for hasRole() checks)
+                assertThat(authorities).hasSize(4).extracting(GrantedAuthority::getAuthority).containsExactlyInAnyOrder(
+                                "ROLE_USER", "LOGIN_PRIVILEGE",
                                 "UPDATE_OWN_USER_PRIVILEGE", "RESET_OWN_PASSWORD_PRIVILEGE");
         }
 
@@ -159,9 +159,10 @@ void getAuthoritiesFromUser_multipleRoles_combinesAllPrivileges() {
                 Collection<? extends GrantedAuthority> authorities = authorityService
                                 .getAuthoritiesFromUser(multiRoleUser);
 
-                // Then
-                assertThat(authorities).hasSize(6) // 3 from user role + 3 from manager role
-                                .extracting(GrantedAuthority::getAuthority).containsExactlyInAnyOrder("LOGIN_PRIVILEGE",
+                // Then - 6 privileges + the two role names (ROLE_USER, ROLE_MANAGER) granted as of 4.4.0
+                assertThat(authorities).hasSize(8) // 3 user + 3 manager privileges + 2 role names
+                                .extracting(GrantedAuthority::getAuthority).containsExactlyInAnyOrder("ROLE_USER",
+                                                "ROLE_MANAGER", "LOGIN_PRIVILEGE",
                                                 "UPDATE_OWN_USER_PRIVILEGE",
                                                 "RESET_OWN_PASSWORD_PRIVILEGE", "ADD_USER_TO_TEAM_PRIVILEGE",
                                                 "REMOVE_USER_FROM_TEAM_PRIVILEGE",
@@ -180,9 +181,9 @@ void getAuthoritiesFromUser_adminUser_hasAllAdminPrivileges() {
                 // When
                 Collection<? extends GrantedAuthority> authorities = authorityService.getAuthoritiesFromUser(adminUser);
 
-                // Then
-                assertThat(authorities).hasSize(5).extracting(GrantedAuthority::getAuthority).containsExactlyInAnyOrder(
-                                "ADMIN_PRIVILEGE",
+                // Then - 5 admin privileges + the ROLE_ADMIN role name granted as of 4.4.0
+                assertThat(authorities).hasSize(6).extracting(GrantedAuthority::getAuthority).containsExactlyInAnyOrder(
+                                "ROLE_ADMIN", "ADMIN_PRIVILEGE",
                                 "INVITE_USER_PRIVILEGE", "READ_USER_PRIVILEGE", "ASSIGN_MANAGER_PRIVILEGE",
                                 "RESET_ANY_USER_PASSWORD_PRIVILEGE");
         }
@@ -206,9 +207,9 @@ void getAuthoritiesFromRoles_sharedPrivileges_deduplicatesCorrectly() {
                 Collection<? extends GrantedAuthority> authorities = authorityService
                                 .getAuthoritiesFromRoles(Arrays.asList(role1, role2));
 
-                // Then - Should only have 4 unique privileges (3 from user + 1 shared)
-                assertThat(authorities).hasSize(4).extracting(GrantedAuthority::getAuthority).containsExactlyInAnyOrder(
-                                "LOGIN_PRIVILEGE",
+                // Then - 4 unique privileges (3 from user + 1 shared) + the two role names granted as of 4.4.0
+                assertThat(authorities).hasSize(6).extracting(GrantedAuthority::getAuthority).containsExactlyInAnyOrder(
+                                "ROLE_TEST1", "ROLE_TEST2", "LOGIN_PRIVILEGE",
                                 "UPDATE_OWN_USER_PRIVILEGE", "RESET_OWN_PASSWORD_PRIVILEGE", "SHARED_PRIVILEGE");
         }
 
@@ -247,9 +248,11 @@ void getAuthoritiesFromRoles_separatelyLoadedRoles_worksCorrectly() {
                 Collection<? extends GrantedAuthority> authorities = authorityService.getAuthoritiesFromRoles(
                                 Arrays.asList(loadedUserRole, loadedManagerRole, loadedAdminRole));
 
-                // Then - Should have all unique privileges from all three roles
-                assertThat(authorities).hasSize(11) // 3 + 3 + 5 unique privileges
+                // Then - all unique privileges from all three roles, plus the three role names granted as of 4.4.0
+                assertThat(authorities).hasSize(14) // 3 + 3 + 5 privileges + 3 role names
                                 .extracting(GrantedAuthority::getAuthority).contains(
+                                                // Role names
+                                                "ROLE_USER", "ROLE_MANAGER", "ROLE_ADMIN",
                                                 // User privileges
                                                 "LOGIN_PRIVILEGE", "UPDATE_OWN_USER_PRIVILEGE",
                                                 "RESET_OWN_PASSWORD_PRIVILEGE",

src/test/java/com/digitalsanctuary/spring/user/integration/DSUserDetailsServiceIntegrationTest.java

@@ -13,8 +13,11 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.DisplayName;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.DisabledException;
+import org.springframework.security.authentication.LockedException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.test.context.TestPropertySource;
 import org.springframework.transaction.annotation.Transactional;
 
 import com.digitalsanctuary.spring.user.persistence.model.Privilege;
@@ -40,6 +43,10 @@
  * - Account unlock functionality
  */
 @IntegrationTest
+// A positive lockout duration makes auto-unlock deterministic: a user locked longer ago than this window
+// is eligible to be unlocked on load, while one just locked stays locked. (The framework reads
+// user.security.accountLockoutDuration; >= 0 enables time-based auto-unlock.)
+@TestPropertySource(properties = "user.security.accountLockoutDuration=30")
 @DisplayName("DSUserDetailsService Integration Tests")
 class DSUserDetailsServiceIntegrationTest {
 
@@ -129,6 +136,7 @@ void loadUserByUsername_autoUnlocksEligibleUser() {
                 .withEmail("autounlock@test.com")
                 .withLockedDate(oldLockDate)
                 .withFailedLoginAttempts(5)
+                .verified() // enabled, so that once auto-unlocked the account is fully usable
                 .withId(null)
                 .build();
         lockedUser.setRoles(new ArrayList<>(Arrays.asList(userRole)));
@@ -137,14 +145,14 @@ void loadUserByUsername_autoUnlocksEligibleUser() {
         // Verify user is initially locked
         assertThat(lockedUser.isLocked()).isTrue();
 
-        // When
+        // When - the lock is older than accountLockoutDuration (30m), so loading auto-unlocks the account
         DSUserDetails result = dsUserDetailsService.loadUserByUsername("autounlock@test.com");
 
-        // Then - Depending on configuration, user might be unlocked
-        // Note: This behavior depends on accountLockoutDuration configuration
-        // If configured to auto-unlock after certain time, the user should be unlocked
+        // Then - the user is unlocked on load and authentication succeeds
         assertThat(result).isNotNull();
         assertThat(result.getUsername()).isEqualTo("autounlock@test.com");
+        assertThat(result.isAccountNonLocked()).isTrue();
+        assertThat(userRepository.findByEmail("autounlock@test.com").isLocked()).isFalse();
     }
 
     @Test
@@ -247,8 +255,8 @@ void loadUserByUsername_mapsAllUserDetailsProperties() {
 
     @Test
     @Transactional
-    @DisplayName("Should handle disabled user correctly")
-    void loadUserByUsername_disabledUser_returnsWithCorrectStatus() {
+    @DisplayName("Should reject loading a disabled user")
+    void loadUserByUsername_disabledUser_throwsDisabledException() {
         // Given
         User disabledUser = UserTestDataBuilder.anUnverifiedUser()
                 .withEmail("disabled@test.com")
@@ -257,27 +265,24 @@ void loadUserByUsername_disabledUser_returnsWithCorrectStatus() {
         disabledUser.setRoles(new ArrayList<>(Arrays.asList(userRole)));
         userRepository.save(disabledUser);
 
-        // When
-        DSUserDetails result = dsUserDetailsService.loadUserByUsername("disabled@test.com");
-
-        // Then
-        assertThat(result).isNotNull();
-        assertThat(result.isEnabled()).isFalse();
-        assertThat(result.isAccountNonLocked()).isTrue();
-        assertThat(result.getUsername()).isEqualTo("disabled@test.com");
+        // When & Then - as of 4.4.0 the login helper enforces account status on every auth path, so loading
+        // a disabled (unverified) account throws rather than returning a principal with isEnabled()==false.
+        assertThatThrownBy(() -> dsUserDetailsService.loadUserByUsername("disabled@test.com"))
+                .isInstanceOf(DisabledException.class);
     }
 
     @Test
     @Transactional
-    @DisplayName("Should handle currently locked user correctly")
-    void loadUserByUsername_currentlyLockedUser_returnsWithLockedStatus() {
-        // Given - Create a recently locked user (should remain locked)
+    @DisplayName("Should reject loading a currently locked user")
+    void loadUserByUsername_currentlyLockedUser_throwsLockedException() {
+        // Given - a user locked just now: well inside the accountLockoutDuration window, so it must NOT
+        // auto-unlock and stays locked.
         Date recentLockDate = new Date();
 
         User lockedUser = UserTestDataBuilder.aLockedUser()
                 .withEmail("locked@test.com")
                 .withLockedDate(recentLockDate)
-                .verified() // Make the user enabled but locked
+                .verified() // enabled but locked, to prove lock (not disabled) is what rejects the load
                 .withId(null)
                 .build();
         lockedUser.setRoles(new ArrayList<>(Arrays.asList(userRole)));
@@ -286,26 +291,9 @@ void loadUserByUsername_currentlyLockedUser_returnsWithLockedStatus() {
         // Verify user is initially locked
         assertThat(lockedUser.isLocked()).isTrue();
 
-        // When
-        DSUserDetails result = dsUserDetailsService.loadUserByUsername("locked@test.com");
-
-        // Then
-        assertThat(result).isNotNull();
-        assertThat(result.isEnabled()).isTrue(); // Locked users can still be enabled
-
-        // Check the actual lock status - it depends on configuration
-        // If accountLockoutDuration is 0, the user might be unlocked immediately
-        // If it's > 0, the user should remain locked since we just locked them
-        User userAfterLoad = userRepository.findByEmail("locked@test.com");
-
-        // The test should verify the actual behavior based on configuration
-        // If the user is still locked, isAccountNonLocked should be false
-        // If the user was unlocked by the service, isAccountNonLocked should be true
-        if (userAfterLoad.isLocked()) {
-            assertThat(result.isAccountNonLocked()).isFalse();
-        } else {
-            // User was unlocked by the service
-            assertThat(result.isAccountNonLocked()).isTrue();
-        }
+        // When & Then - loading a still-locked account throws LockedException (checked before disabled status)
+        assertThatThrownBy(() -> dsUserDetailsService.loadUserByUsername("locked@test.com"))
+                .isInstanceOf(LockedException.class);
+        assertThat(userRepository.findByEmail("locked@test.com").isLocked()).isTrue();
     }
 }

src/test/java/com/digitalsanctuary/spring/user/integration/EventSystemIntegrationTest.java

@@ -67,7 +67,10 @@ public TestEventCapture testEventCapture() {
 
     @BeforeEach
     void setUp() {
-        testUser = UserTestDataBuilder.aUser().withId(1L).withEmail("test@example.com").withFirstName("Test").withLastName("User").enabled().build();
+        // The user must be UNVERIFIED (disabled): as of 4.4.0 RegistrationListener skips sending the
+        // verification email when the user is already enabled, which is the realistic state for a brand-new
+        // registration. An enabled user here would make the registration-email assertions never fire.
+        testUser = UserTestDataBuilder.aUser().withId(1L).withEmail("test@example.com").withFirstName("Test").withLastName("User").unverified().build();
         eventCapture.clear();
     }
 

src/test/java/com/digitalsanctuary/spring/user/security/AccountLockoutIntegrationTest.java

@@ -5,6 +5,7 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import java.util.ArrayList;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -25,12 +26,12 @@
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.transaction.annotation.Transactional;
 import com.digitalsanctuary.spring.demo.UserDemoApplication;
-import com.digitalsanctuary.spring.user.dto.UserDto;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
 import com.digitalsanctuary.spring.user.service.LoginAttemptService;
 import com.digitalsanctuary.spring.user.service.UserService;
 import com.digitalsanctuary.spring.user.test.annotations.IntegrationTest;
+import com.digitalsanctuary.spring.user.test.builders.UserTestDataBuilder;
 import jakarta.persistence.EntityManager;
 
 /**
@@ -79,19 +80,15 @@ void setUp() {
         }
         entityManager.flush();
 
-        // Create test user
-        UserDto userDto = new UserDto();
-        userDto.setFirstName("Lockout");
-        userDto.setLastName("Test");
-        userDto.setEmail(TEST_EMAIL);
-        userDto.setPassword(TEST_PASSWORD);
-        userDto.setMatchingPassword(TEST_PASSWORD);
-
-        userService.registerNewUserAccount(userDto);
-
-        // Enable the user
-        entityManager.createNativeQuery("UPDATE user_account SET enabled = true WHERE email = :email").setParameter("email", TEST_EMAIL)
-                .executeUpdate();
+        // Create the test user directly via the repository so it lives inside the test's transaction and
+        // rolls back cleanly. As of 4.4.0, UserService.registerNewUserAccount runs with
+        // Propagation.NOT_SUPPORTED and commits the new user in its own transaction, which would survive
+        // the rollback and leak the same email into the next test method (UserAlreadyExistException). The
+        // lockout tests only need a persisted, enabled user row; they exercise LoginAttemptService directly.
+        User user = UserTestDataBuilder.aUser().withEmail(TEST_EMAIL).withFirstName("Lockout").withLastName("Test")
+                .withPassword(TEST_PASSWORD).verified().withId(null).build();
+        user.setRoles(new ArrayList<>());
+        userRepository.save(user);
         entityManager.flush();
     }