Cleanup and start backfilling tests for token auth filter

[#145560395] https://www.pivotaltracker.com/story/show/145560395

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilter.java

@@ -15,6 +15,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -46,7 +47,6 @@
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Set;
 
 import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_SAML2_BEARER;
 
@@ -71,20 +71,24 @@ public class BackwardsCompatibleTokenEndpointAuthenticationFilter implements Fil
 
     private final SAMLProcessingFilter samlAuthenticationFilter;
 
+    private final XOAuthAuthenticationManager xoAuthAuthenticationManager;
+
     public BackwardsCompatibleTokenEndpointAuthenticationFilter(AuthenticationManager authenticationManager,
                                                                 OAuth2RequestFactory oAuth2RequestFactory) {
-        this(authenticationManager, oAuth2RequestFactory, null);
+        this(authenticationManager, oAuth2RequestFactory, null, null);
     }
     /**
      * @param authenticationManager an AuthenticationManager for the incoming request
      */
     public BackwardsCompatibleTokenEndpointAuthenticationFilter(AuthenticationManager authenticationManager,
                                                                 OAuth2RequestFactory oAuth2RequestFactory,
-                                                                SAMLProcessingFilter samlAuthenticationFilter) {
+                                                                SAMLProcessingFilter samlAuthenticationFilter,
+                                                                XOAuthAuthenticationManager xoAuthAuthenticationManager) {
         super();
         this.authenticationManager = authenticationManager;
         this.oAuth2RequestFactory = oAuth2RequestFactory;
         this.samlAuthenticationFilter = samlAuthenticationFilter;
+        this.xoAuthAuthenticationManager = xoAuthAuthenticationManager;
     }
 
     /**
@@ -113,7 +117,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
         final HttpServletResponse response = (HttpServletResponse) res;
 
         try {
-            Authentication userAuthentication = extractCredentials(request, response);
+            Authentication userAuthentication = attemptTokenAuthentication(request, response);
 
             if (userAuthentication != null) {
                 Authentication clientAuth = SecurityContextHolder.getContext().getAuthentication();
@@ -203,7 +207,7 @@ protected Authentication extractCredentials(HttpServletRequest request) {
         return credentials;
     }
 
-    protected Authentication extractCredentials(HttpServletRequest request, HttpServletResponse response) {
+    protected Authentication attemptTokenAuthentication(HttpServletRequest request, HttpServletResponse response) {
         String grantType = request.getParameter("grant_type");
         Authentication authResult = null;
         if ("password".equals(grantType)) {
@@ -228,13 +232,11 @@ protected Authentication extractCredentials(HttpServletRequest request, HttpServ
         return null;
     }
 
-    private Set<String> getScope(HttpServletRequest request) {
-        return OAuth2Utils.parseParameterList(request.getParameter("scope"));
-    }
-
+    @Override
     public void init(FilterConfig filterConfig) throws ServletException {
     }
 
+    @Override
     public void destroy() {
     }
 

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/JwtTokenGranter.java

@@ -0,0 +1,67 @@
+/*
+ * ****************************************************************************
+ *     Cloud Foundry
+ *     Copyright (c) [2009-2017] Pivotal Software, Inc. All Rights Reserved.
+ *
+ *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *     You may not use this product except in compliance with the License.
+ *
+ *     This product includes a number of subcomponents with
+ *     separate copyright notices and license terms. Your use of these
+ *     subcomponents is subject to the terms and conditions of the
+ *     subcomponent's license, as noted in the LICENSE file.
+ * ****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa.oauth.token;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.DefaultSecurityContextAccessor;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.TokenRequest;
+import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
+import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
+
+import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_JWT_BEARER;
+
+public class JwtTokenGranter extends AbstractTokenGranter {
+
+    protected JwtTokenGranter(AuthorizationServerTokenServices tokenServices,
+                              ClientDetailsService clientDetailsService,
+                              OAuth2RequestFactory requestFactory) {
+        super(tokenServices, clientDetailsService, requestFactory, GRANT_TYPE_JWT_BEARER);
+    }
+
+    protected Authentication validateRequest(TokenRequest request) {
+        if (new DefaultSecurityContextAccessor().isUser()) {
+            if( request == null ||
+                request.getRequestParameters() == null ||
+                request.getRequestParameters().isEmpty()) {
+                throw new InvalidGrantException("Missing token request object");
+            }
+            if(request.getRequestParameters().get("grant_type") == null) {
+                throw new InvalidGrantException("Missing grant type");
+            }
+            if(!GRANT_TYPE_JWT_BEARER.equals(request.getRequestParameters().get("grant_type"))) {
+                throw new InvalidGrantException("Invalid grant type");
+            }
+        } else {
+            throw new InvalidGrantException("User authentication not found");
+        }
+        return SecurityContextHolder.getContext().getAuthentication();
+    }
+
+    @Override
+    protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
+        validateRequest(tokenRequest);
+        Authentication userAuth = validateRequest(tokenRequest);
+        OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest);
+        return new OAuth2Authentication(storedOAuth2Request, userAuth);
+    }
+}

server/src/test/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilterTest.java

@@ -0,0 +1,111 @@
+/*
+ * ****************************************************************************
+ *     Cloud Foundry
+ *     Copyright (c) [2009-2017] Pivotal Software, Inc. All Rights Reserved.
+ *
+ *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *     You may not use this product except in compliance with the License.
+ *
+ *     This product includes a number of subcomponents with
+ *     separate copyright notices and license terms. Your use of these
+ *     subcomponents is subject to the terms and conditions of the
+ *     subcomponent's license, as noted in the LICENSE file.
+ * ****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa.authentication;
+
+import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
+import org.springframework.security.saml.SAMLProcessingFilter;
+
+import javax.servlet.FilterChain;
+
+import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.GRANT_TYPE;
+import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_SAML2_BEARER;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.same;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyZeroInteractions;
+
+public class BackwardsCompatibleTokenEndpointAuthenticationFilterTest {
+
+
+    private AuthenticationManager passwordAuthManager;
+    private OAuth2RequestFactory requestFactory;
+    private SAMLProcessingFilter samlAuthFilter;
+    private XOAuthAuthenticationManager xoAuthAuthenticationManager;
+    private BackwardsCompatibleTokenEndpointAuthenticationFilter filter;
+    private MockHttpServletRequest request;
+    private MockHttpServletResponse response;
+    private FilterChain chain;
+
+    @Before
+    public void setUp() throws Exception {
+
+        passwordAuthManager = mock(AuthenticationManager.class);
+        requestFactory = mock(OAuth2RequestFactory.class);
+        samlAuthFilter = mock(SAMLProcessingFilter.class);
+        xoAuthAuthenticationManager = mock(XOAuthAuthenticationManager.class);
+
+        filter = spy(
+            new BackwardsCompatibleTokenEndpointAuthenticationFilter(
+                passwordAuthManager,
+                requestFactory,
+                samlAuthFilter,
+                xoAuthAuthenticationManager
+            )
+        );
+
+        request = new MockHttpServletRequest("POST", "/oauth/token");
+        response = new MockHttpServletResponse();
+        chain = mock(FilterChain.class);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        SecurityContextHolder.clearContext();
+        IdentityZoneHolder.clear();
+    }
+
+    @Test
+    public void attempt_password_authentication() throws Exception {
+        request.addParameter(GRANT_TYPE, "password");
+        request.addParameter("username", "marissa");
+        request.addParameter("password", "koala");
+        filter.doFilter(request, response, chain);
+        verify(filter, times(1)).attemptTokenAuthentication(same(request), same(response));
+        verify(passwordAuthManager, times(1)).authenticate(any());
+        verifyZeroInteractions(samlAuthFilter);
+        verifyZeroInteractions(xoAuthAuthenticationManager);
+    }
+
+    @Test
+    public void attempt_saml_assertion_authentication() throws Exception {
+        request.addParameter(GRANT_TYPE, GRANT_TYPE_SAML2_BEARER);
+        request.addParameter("assertion", "saml-assertion-value-here");
+        filter.doFilter(request, response, chain);
+        verify(filter, times(1)).attemptTokenAuthentication(same(request), same(response));
+        verify(samlAuthFilter, times(1)).attemptAuthentication(same(request), same(response));
+        verifyZeroInteractions(passwordAuthManager);
+        verifyZeroInteractions(xoAuthAuthenticationManager);
+    }
+
+    @Test
+    public void attempt_jwt_token_authentication() throws Exception {
+        fail();
+    }
+
+}