Skip to content

Commit

Permalink
Refactor tests
Browse files Browse the repository at this point in the history 
- Moved Token revocation related tests into separate file.

[#151271929] https://www.pivotaltracker.com/story/show/151271929

Signed-off-by: Shash Reddy <sreddy@pivotal.io>
  • Loading branch information
@medvedzver
medvedzver authored and Shash Reddy committed Sep 25, 2017
1 parent 9286ad6 commit e7b5643
Show file tree
Hide file tree
Showing 2 changed files with 307 additions and 268 deletions.
268 changes: 0 additions & 268 deletions uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
View file
Expand Up @@ -3371,274 +3371,6 @@ public void validateNewTokenAfterDeleteClientSecret() throws Exception {
.andExpect(status().isOk());
}


@Test
public void revokeOwnJWToken() throws Exception {
IdentityZone defaultZone = identityZoneProvisioning.retrieve(IdentityZone.getUaa().getId());
defaultZone.getConfig().getTokenPolicy().setJwtRevocable(true);
identityZoneProvisioning.update(defaultZone);

try {
BaseClientDetails client = setUpClients(
generator.generate(),
"clients.write",
"openid",
"client_credentials,password"
,true
);


//this is the token we will revoke
String clientToken =
getClientCredentialsOAuthAccessToken(
getMockMvc(),
client.getClientId(),
SECRET,
null,
null
);

Jwt jwt = JwtHelper.decode(clientToken);
Map<String, Object> claims = JsonUtils.readValue(jwt.getClaims(), new TypeReference<Map<String, Object>>() {
});
String jti = (String) claims.get("jti");

getMockMvc().perform(delete("/oauth/token/revoke/" + jti)
.header("Authorization", "Bearer " + clientToken))
.andExpect(status().isOk());

tokenProvisioning.retrieve(jti, IdentityZoneHolder.get().getId());
} catch (EmptyResultDataAccessException e) {
} finally {
defaultZone.getConfig().getTokenPolicy().setJwtRevocable(false);
identityZoneProvisioning.update(defaultZone);
}
}

@Test
public void revokeOtherClientToken() throws Exception {
String resourceClientId = generator.generate();

BaseClientDetails client =
setUpClients(resourceClientId,
"tokens.revoke",
"openid",
"client_credentials,password",
true
);


//this is the token we will revoke
String revokeAccessToken =
getClientCredentialsOAuthAccessToken(
getMockMvc(),
client.getClientId(),
SECRET,
"tokens.revoke",
null,
false
);

String tokenToBeRevoked =
getClientCredentialsOAuthAccessToken(
getMockMvc(),
resourceClientId,
SECRET,
null,
null,
true
);

getMockMvc().perform(delete("/oauth/token/revoke/" + tokenToBeRevoked)
.header("Authorization", "Bearer " + revokeAccessToken))
.andExpect(status().isOk());


try {
tokenProvisioning.retrieve(tokenToBeRevoked, IdentityZoneHolder.get().getId());
fail("Token should have been deleted");
} catch (EmptyResultDataAccessException e) {
//expected
}
}

@Test
public void revokeOtherClientTokenForbidden() throws Exception {
String resourceClientId = generator.generate();
BaseClientDetails resourceClient = setUpClients(
resourceClientId,
"uaa.resource",
"uaa.resource",
"client_credentials,password",
true
) ;

BaseClientDetails client = setUpClients(
generator.generate(),
"clients.write",
"openid",
"client_credentials,password",
true
);


//this is the token we will revoke
String revokeAccessToken =
getClientCredentialsOAuthAccessToken(
getMockMvc(),
client.getClientId(),
SECRET,
null,
null,
false
);

String tokenToBeRevoked =
getClientCredentialsOAuthAccessToken(
getMockMvc(),
resourceClientId,
SECRET,
null,
null,
true
);

getMockMvc().perform(delete("/oauth/token/revoke/" + tokenToBeRevoked)
.header("Authorization", "Bearer " + revokeAccessToken))
.andExpect(status().isForbidden());
}

@Test
public void revokeOpaqueTokenWithOpaqueToken() throws Exception {
ScimUser scimUser = setUpUser("testUser" + generator.generate());

String opaqueUserToken = testClient.getUserOAuthAccessToken("app", "appclientsecret", scimUser.getUserName(), "secret", null);

getMockMvc().perform(delete("/oauth/token/revoke/" + opaqueUserToken)
.header("Authorization", "Bearer " + opaqueUserToken))
.andExpect(status().isOk());

try {
tokenProvisioning.retrieve(opaqueUserToken, IdentityZoneHolder.get().getId());
} catch (EmptyResultDataAccessException e) {
}
}

@Test
public void test_Revoke_Client_And_User_Tokens() throws Exception {
BaseClientDetails client = getAClientWithClientsRead();
BaseClientDetails otherClient = getAClientWithClientsRead();

//this is the token we will revoke
String readClientsToken =
getClientCredentialsOAuthAccessToken(
getMockMvc(),
client.getClientId(),
client.getClientSecret(),
null,
null
);

//this is the token from another client
String otherReadClientsToken =
getClientCredentialsOAuthAccessToken(
getMockMvc(),
otherClient.getClientId(),
otherClient.getClientSecret(),
null,
null
);

//ensure our token works
getMockMvc().perform(
get("/oauth/clients")
.header("Authorization", "Bearer "+readClientsToken)
).andExpect(status().isOk());

//ensure we can't get to the endpoint without authentication
getMockMvc().perform(
get("/oauth/token/revoke/client/"+client.getClientId())
).andExpect(status().isUnauthorized());

//ensure we can't get to the endpoint without correct scope
getMockMvc().perform(
get("/oauth/token/revoke/client/"+client.getClientId())
.header("Authorization", "Bearer "+otherReadClientsToken)
).andExpect(status().isForbidden());

//ensure that we have the correct error for invalid client id
getMockMvc().perform(
get("/oauth/token/revoke/client/notfound"+ generator.generate())
.header("Authorization", "Bearer "+adminToken)
).andExpect(status().isNotFound());

//we revoke the tokens for that client
getMockMvc().perform(
get("/oauth/token/revoke/client/"+client.getClientId())
.header("Authorization", "Bearer "+adminToken)
).andExpect(status().isOk());

//we should fail attempting to use the token
getMockMvc().perform(
get("/oauth/clients")
.header("Authorization", "Bearer "+readClientsToken)
)
.andExpect(status().isUnauthorized())
.andExpect(content().string(containsString("\"error\":\"invalid_token\"")));

ScimUser user = setUpUser(generator.generate().toLowerCase()+"@test.org");
user.setPassword("secret");

String userInfoToken = getUserOAuthAccessToken(
getMockMvc(),
client.getClientId(),
client.getClientSecret(),
user.getUserName(),
user.getPassword(),
"openid"
);

//ensure our token works
getMockMvc().perform(
get("/userinfo")
.header("Authorization", "Bearer "+userInfoToken)
).andExpect(status().isOk());

//we revoke the tokens for that user
getMockMvc().perform(
get("/oauth/token/revoke/user/"+user.getId()+"notfound")
.header("Authorization", "Bearer "+adminToken)
).andExpect(status().isNotFound());


//we revoke the tokens for that user
getMockMvc().perform(
get("/oauth/token/revoke/user/"+user.getId())
.header("Authorization", "Bearer "+adminToken)
).andExpect(status().isOk());

getMockMvc().perform(
get("/userinfo")
.header("Authorization", "Bearer "+userInfoToken)
)
.andExpect(status().isUnauthorized())
.andExpect(content().string(containsString("\"error\":\"invalid_token\"")));


}

protected BaseClientDetails getAClientWithClientsRead() throws Exception {
BaseClientDetails client = setUpClients(
generator.generate(),
"clients.read",
"openid",
"client_credentials,password",
true
);
client.setClientSecret("secret");
return client;
}

@Test
public void testGetClientCredentials_WithAuthoritiesExcluded_ForDefaultIdentityZone() throws Exception {
Set<String> originalExclude = getWebApplicationContext().getBean(UaaTokenServices.class).getExcludedClaims();
Expand Down

0 comments on commit e7b5643

Please sign in to comment.