Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cleanup and start backfilling tests for token auth filter
[#145560395] https://www.pivotaltracker.com/story/show/145560395
- Loading branch information
Showing
5 changed files
with
374 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 67 additions & 0 deletions
67
server/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/JwtTokenGranter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,67 @@ | |||
/* | |||
* **************************************************************************** | |||
* Cloud Foundry | |||
* Copyright (c) [2009-2017] Pivotal Software, Inc. All Rights Reserved. | |||
* | |||
* This product is licensed to you under the Apache License, Version 2.0 (the "License"). | |||
* You may not use this product except in compliance with the License. | |||
* | |||
* This product includes a number of subcomponents with | |||
* separate copyright notices and license terms. Your use of these | |||
* subcomponents is subject to the terms and conditions of the | |||
* subcomponent's license, as noted in the LICENSE file. | |||
* **************************************************************************** | |||
*/ | |||
|
|||
package org.cloudfoundry.identity.uaa.oauth.token; | |||
|
|||
import org.springframework.security.core.Authentication; | |||
import org.springframework.security.core.context.SecurityContextHolder; | |||
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException; | |||
import org.springframework.security.oauth2.provider.ClientDetails; | |||
import org.springframework.security.oauth2.provider.ClientDetailsService; | |||
import org.springframework.security.oauth2.provider.DefaultSecurityContextAccessor; | |||
import org.springframework.security.oauth2.provider.OAuth2Authentication; | |||
import org.springframework.security.oauth2.provider.OAuth2Request; | |||
import org.springframework.security.oauth2.provider.OAuth2RequestFactory; | |||
import org.springframework.security.oauth2.provider.TokenRequest; | |||
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter; | |||
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices; | |||
|
|||
import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_JWT_BEARER; | |||
|
|||
public class JwtTokenGranter extends AbstractTokenGranter { | |||
|
|||
protected JwtTokenGranter(AuthorizationServerTokenServices tokenServices, | |||
ClientDetailsService clientDetailsService, | |||
OAuth2RequestFactory requestFactory) { | |||
super(tokenServices, clientDetailsService, requestFactory, GRANT_TYPE_JWT_BEARER); | |||
} | |||
|
|||
protected Authentication validateRequest(TokenRequest request) { | |||
if (new DefaultSecurityContextAccessor().isUser()) { | |||
if( request == null || | |||
request.getRequestParameters() == null || | |||
request.getRequestParameters().isEmpty()) { | |||
throw new InvalidGrantException("Missing token request object"); | |||
} | |||
if(request.getRequestParameters().get("grant_type") == null) { | |||
throw new InvalidGrantException("Missing grant type"); | |||
} | |||
if(!GRANT_TYPE_JWT_BEARER.equals(request.getRequestParameters().get("grant_type"))) { | |||
throw new InvalidGrantException("Invalid grant type"); | |||
} | |||
} else { | |||
throw new InvalidGrantException("User authentication not found"); | |||
} | |||
return SecurityContextHolder.getContext().getAuthentication(); | |||
} | |||
|
|||
@Override | |||
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { | |||
validateRequest(tokenRequest); | |||
Authentication userAuth = validateRequest(tokenRequest); | |||
OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest); | |||
return new OAuth2Authentication(storedOAuth2Request, userAuth); | |||
} | |||
} |
111 changes: 111 additions & 0 deletions
111
...identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilterTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,111 @@ | |||
/* | |||
* **************************************************************************** | |||
* Cloud Foundry | |||
* Copyright (c) [2009-2017] Pivotal Software, Inc. All Rights Reserved. | |||
* | |||
* This product is licensed to you under the Apache License, Version 2.0 (the "License"). | |||
* You may not use this product except in compliance with the License. | |||
* | |||
* This product includes a number of subcomponents with | |||
* separate copyright notices and license terms. Your use of these | |||
* subcomponents is subject to the terms and conditions of the | |||
* subcomponent's license, as noted in the LICENSE file. | |||
* **************************************************************************** | |||
*/ | |||
|
|||
package org.cloudfoundry.identity.uaa.authentication; | |||
|
|||
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager; | |||
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; | |||
import org.junit.After; | |||
import org.junit.Before; | |||
import org.junit.Test; | |||
import org.springframework.mock.web.MockHttpServletRequest; | |||
import org.springframework.mock.web.MockHttpServletResponse; | |||
import org.springframework.security.authentication.AuthenticationManager; | |||
import org.springframework.security.core.context.SecurityContextHolder; | |||
import org.springframework.security.oauth2.provider.OAuth2RequestFactory; | |||
import org.springframework.security.saml.SAMLProcessingFilter; | |||
|
|||
import javax.servlet.FilterChain; | |||
|
|||
import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.GRANT_TYPE; | |||
import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_SAML2_BEARER; | |||
import static org.junit.Assert.fail; | |||
import static org.mockito.ArgumentMatchers.any; | |||
import static org.mockito.ArgumentMatchers.same; | |||
import static org.mockito.Mockito.mock; | |||
import static org.mockito.Mockito.spy; | |||
import static org.mockito.Mockito.times; | |||
import static org.mockito.Mockito.verify; | |||
import static org.mockito.Mockito.verifyZeroInteractions; | |||
|
|||
public class BackwardsCompatibleTokenEndpointAuthenticationFilterTest { | |||
|
|||
|
|||
private AuthenticationManager passwordAuthManager; | |||
private OAuth2RequestFactory requestFactory; | |||
private SAMLProcessingFilter samlAuthFilter; | |||
private XOAuthAuthenticationManager xoAuthAuthenticationManager; | |||
private BackwardsCompatibleTokenEndpointAuthenticationFilter filter; | |||
private MockHttpServletRequest request; | |||
private MockHttpServletResponse response; | |||
private FilterChain chain; | |||
|
|||
@Before | |||
public void setUp() throws Exception { | |||
|
|||
passwordAuthManager = mock(AuthenticationManager.class); | |||
requestFactory = mock(OAuth2RequestFactory.class); | |||
samlAuthFilter = mock(SAMLProcessingFilter.class); | |||
xoAuthAuthenticationManager = mock(XOAuthAuthenticationManager.class); | |||
|
|||
filter = spy( | |||
new BackwardsCompatibleTokenEndpointAuthenticationFilter( | |||
passwordAuthManager, | |||
requestFactory, | |||
samlAuthFilter, | |||
xoAuthAuthenticationManager | |||
) | |||
); | |||
|
|||
request = new MockHttpServletRequest("POST", "/oauth/token"); | |||
response = new MockHttpServletResponse(); | |||
chain = mock(FilterChain.class); | |||
} | |||
|
|||
@After | |||
public void tearDown() throws Exception { | |||
SecurityContextHolder.clearContext(); | |||
IdentityZoneHolder.clear(); | |||
} | |||
|
|||
@Test | |||
public void attempt_password_authentication() throws Exception { | |||
request.addParameter(GRANT_TYPE, "password"); | |||
request.addParameter("username", "marissa"); | |||
request.addParameter("password", "koala"); | |||
filter.doFilter(request, response, chain); | |||
verify(filter, times(1)).attemptTokenAuthentication(same(request), same(response)); | |||
verify(passwordAuthManager, times(1)).authenticate(any()); | |||
verifyZeroInteractions(samlAuthFilter); | |||
verifyZeroInteractions(xoAuthAuthenticationManager); | |||
} | |||
|
|||
@Test | |||
public void attempt_saml_assertion_authentication() throws Exception { | |||
request.addParameter(GRANT_TYPE, GRANT_TYPE_SAML2_BEARER); | |||
request.addParameter("assertion", "saml-assertion-value-here"); | |||
filter.doFilter(request, response, chain); | |||
verify(filter, times(1)).attemptTokenAuthentication(same(request), same(response)); | |||
verify(samlAuthFilter, times(1)).attemptAuthentication(same(request), same(response)); | |||
verifyZeroInteractions(passwordAuthManager); | |||
verifyZeroInteractions(xoAuthAuthenticationManager); | |||
} | |||
|
|||
@Test | |||
public void attempt_jwt_token_authentication() throws Exception { | |||
fail(); | |||
} | |||
|
|||
} |
Oops, something went wrong.