Reproduce error. If PII is missing from the access token, the call fails

[#130370565] https://www.pivotaltracker.com/story/show/130370565
cloudfoundry · Oct 20, 2016 · 9b2363b · 9b2363b
1 parent c664381
commit 9b2363b
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 49 deletions.
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
@@ -13,7 +13,6 @@
 package org.cloudfoundry.identity.uaa.oauth;
 
 import org.apache.commons.collections.map.HashedMap;
-import org.apache.commons.lang.IllegalClassException;
 import org.cloudfoundry.identity.uaa.approval.Approval;
 import org.cloudfoundry.identity.uaa.approval.Approval.ApprovalStatus;
 import org.cloudfoundry.identity.uaa.approval.ApprovalStore;
@@ -58,7 +57,6 @@
 import org.springframework.dao.EmptyResultDataAccessException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -579,9 +577,10 @@ public void testCreateAccessTokenPasswordGrant() {
         tokenServices.loadAuthentication(accessToken.getValue());
 
         //ensure that we can load without user_name claim
-        tokenServices.setExcludedClaims(new HashSet(Arrays.asList(ClaimConstants.AUTHORITIES, ClaimConstants.USER_NAME)));
+        tokenServices.setExcludedClaims(new HashSet(Arrays.asList(ClaimConstants.AUTHORITIES, ClaimConstants.USER_NAME, ClaimConstants.EMAIL)));
         accessToken = tokenServices.createAccessToken(authentication);
-        tokenServices.loadAuthentication(accessToken.getValue());
+        assertNotNull(tokenServices.loadAuthentication(accessToken.getValue()).getUserAuthentication());
+
     }
 
 

diff --git a/.../test/java/org/cloudfoundry/identity/uaa/scim/endpoints/UserInfoEndpointMockMvcTests.java b/.../test/java/org/cloudfoundry/identity/uaa/scim/endpoints/UserInfoEndpointMockMvcTests.java
@@ -1,16 +1,32 @@
+/*******************************************************************************
+ *     Cloud Foundry
+ *     Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved.
+ *
+ *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *     You may not use this product except in compliance with the License.
+ *
+ *     This product includes a number of subcomponents with
+ *     separate copyright notices and license terms. Your use of these
+ *     subcomponents is subject to the terms and conditions of the
+ *     subcomponent's license, as noted in the LICENSE file.
+ *******************************************************************************/
 package org.cloudfoundry.identity.uaa.scim.endpoints;
 
 import org.cloudfoundry.identity.uaa.mock.InjectedMockContextTest;
+import org.cloudfoundry.identity.uaa.oauth.UaaTokenServices;
 import org.cloudfoundry.identity.uaa.scim.ScimUser;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
 
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.utils;
 import static org.junit.Assert.assertEquals;
@@ -19,51 +35,71 @@
 
 public class UserInfoEndpointMockMvcTests extends InjectedMockContextTest {
 
-  private RandomValueStringGenerator generator = new RandomValueStringGenerator();
-  private String clientId = generator.generate().toLowerCase();
-  private String clientSecret = generator.generate().toLowerCase();
-
-  private String adminToken;
-
-  private ScimUser user;
-  private String userName;
-
-  @Before
-  public void setUp() throws Exception {
-    adminToken = testClient.getClientCredentialsOAuthAccessToken("admin", "adminsecret", "clients.read clients.write clients.secret scim.read scim.write clients.admin");
-
-    String authorities = "scim.read,scim.write,password.write,oauth.approvals,scim.create,openid";
-    utils().createClient(this.getMockMvc(), adminToken, clientId, clientSecret, Collections.singleton("oauth"), Arrays.asList("openid"), Arrays.asList("client_credentials", "password"), authorities);
-
-    userName = new RandomValueStringGenerator().generate()+"@test.org";
-    user = new ScimUser(null, userName, "PasswordResetUserFirst", "PasswordResetUserLast");
-    user.setPrimaryEmail(user.getUserName());
-    user.setPassword("secr3T");
-    user = utils().createUser(getMockMvc(), adminToken, user);
-  }
-
-  @Test
-  public void testGetUserInfo() throws Exception {
-
-    String userInfoToken = testClient.getUserOAuthAccessToken(
-      clientId,
-      clientSecret,
-      user.getUserName(),
-      "secr3T",
-      "openid"
-    );
-
-    MockHttpServletResponse response = getMockMvc().perform(
-      get("/userinfo")
-        .header("Authorization", "Bearer " + userInfoToken))
-      .andExpect(status().isOk())
-      .andReturn().getResponse();
-
-    Map<String, Object> map = JsonUtils.readValue(response.getContentAsString(), Map.class);
-    assertEquals(user.getUserName(), map.get("user_name"));
-    assertEquals(user.getFamilyName(), map.get("family_name"));
-    assertEquals(user.getGivenName(), map.get("given_name"));
-  }
+    private RandomValueStringGenerator generator = new RandomValueStringGenerator();
+    private String clientId = generator.generate().toLowerCase();
+    private String clientSecret = generator.generate().toLowerCase();
+
+    private String adminToken;
+
+    private ScimUser user;
+    private String userName;
+
+    private UaaTokenServices tokenServices;
+    private Set<String> excludedClaims;
+
+    @Before
+    public void setUp() throws Exception {
+        adminToken = testClient.getClientCredentialsOAuthAccessToken("admin", "adminsecret", "clients.read clients.write clients.secret scim.read scim.write clients.admin");
+        String authorities = "scim.read,scim.write,password.write,oauth.approvals,scim.create,openid";
+        utils().createClient(this.getMockMvc(), adminToken, clientId, clientSecret, Collections.singleton("oauth"), Arrays.asList("openid"), Arrays.asList("client_credentials", "password"), authorities);
+        userName = new RandomValueStringGenerator().generate() + "@test.org";
+        user = new ScimUser(null, userName, "PasswordResetUserFirst", "PasswordResetUserLast");
+        user.setPrimaryEmail(user.getUserName());
+        user.setPassword("secr3T");
+        user = utils().createUser(getMockMvc(), adminToken, user);
+
+        tokenServices = getWebApplicationContext().getBean(UaaTokenServices.class);
+        excludedClaims = tokenServices.getExcludedClaims();
+    }
+
+    @After
+    public void restoreExcludedClaims() {
+        tokenServices.setExcludedClaims(excludedClaims);
+    }
+
+    @Test
+    public void testGetUserInfo() throws Exception {
+        get_user_info();
+    }
+
+    public void get_user_info() throws Exception {
+
+        String userInfoToken = testClient.getUserOAuthAccessToken(
+            clientId,
+            clientSecret,
+            user.getUserName(),
+            "secr3T",
+            "openid"
+        );
+
+        MockHttpServletResponse response = getMockMvc().perform(
+            get("/userinfo")
+                .header("Authorization", "Bearer " + userInfoToken))
+            .andExpect(status().isOk())
+            .andReturn().getResponse();
+
+        Map<String, Object> map = JsonUtils.readValue(response.getContentAsString(), Map.class);
+        assertEquals(user.getUserName(), map.get("user_name"));
+        assertEquals(user.getFamilyName(), map.get("family_name"));
+        assertEquals(user.getGivenName(), map.get("given_name"));
+    }
+
+
+    @Test
+    public void testGetUserInfo_Without_PII_Token() throws Exception {
+        tokenServices.setExcludedClaims(new HashSet<>(Arrays.asList("user_name","email")));
+        get_user_info();
+    }
 
 }