fixes #2 output scopes if matching is failed in log and response

swagger-security/pom.xml

@@ -96,7 +96,11 @@
             <version>${version.jose4j}</version>
         </dependency>
 
-
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>

swagger-security/src/main/java/com/networknt/security/JwtVerifyHandler.java

@@ -33,7 +33,6 @@
 import org.jose4j.jwt.JwtClaims;
 import org.jose4j.jwt.MalformedClaimException;
 import org.jose4j.jwt.consumer.InvalidJwtException;
-import org.owasp.encoder.Encode;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -148,9 +147,10 @@ public void handleRequest(final HttpServerExchange exchange) throws Exception {
                     if (scopeHeader != null) {
                         if (secondaryScopes == null || !matchedScopes(secondaryScopes, specScopes)) {
                             if(logger.isDebugEnabled()) {
-                                logger.debug("Scopes are not matched in scope token" + Encode.forJava(scopeHeader));
+                                logger.debug("Scopes " + secondaryScopes  + " and specificatio token " +
+                                        specScopes + " are not matched in scope token");
                             }
-                            Status status = new Status(STATUS_SCOPE_TOKEN_SCOPE_MISMATCH);
+                            Status status = new Status(STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, secondaryScopes, specScopes);
                             exchange.setStatusCode(status.getStatusCode());
                             exchange.getResponseSender().send(status.toString());
                             return;
@@ -169,9 +169,10 @@ public void handleRequest(final HttpServerExchange exchange) throws Exception {
                         }
                         if (!matchedScopes(primaryScopes, specScopes)) {
                             if(logger.isDebugEnabled()) {
-                                logger.debug("Authorization jwt token scope is not matched " + Encode.forJava(jwt));
+                                logger.debug("Authorization jwt token scope " + primaryScopes +
+                                        " is not matched with " + specScopes);
                             }
-                            Status status = new Status(STATUS_AUTH_TOKEN_SCOPE_MISMATCH);
+                            Status status = new Status(STATUS_AUTH_TOKEN_SCOPE_MISMATCH, primaryScopes, specScopes);
                             exchange.setStatusCode(status.getStatusCode());
                             exchange.getResponseSender().send(status.toString());
                             return;

swagger-security/src/main/resources/config/security.yml

@@ -1,12 +1,23 @@
+# Security configuration in light framework.
 ---
-description: security configuration
+# Enable JWT verification flag.
 enableVerifyJwt: true
+
+# Enable JWT scope verification. Only valid when enableVerifyJwt is true.
 enableVerifyScope: true
+
+# User for test only. should be always be false on official environment.
 enableMockJwt: false
+
+# JWT signature public certificates. kid and certificate path mappings.
 jwt:
   certificate:
     '100': oauth/primary.crt
     '101': oauth/secondary.crt
   clockSkewInSeconds: 60
+
+# Enable or disable JWT token logging
 logJwtToken: true
+
+# Enable or disable client_id, user_id and scope logging.
 logClientUserScope: false

swagger-security/src/test/java/com/networknt/security/JwtVerifyHandlerTest.java

@@ -16,8 +16,119 @@
 
 package com.networknt.security;
 
+import com.networknt.swagger.SwaggerHandler;
+import io.undertow.Handlers;
+import io.undertow.Undertow;
+import io.undertow.server.HttpHandler;
+import io.undertow.server.RoutingHandler;
+import io.undertow.util.HttpString;
+import io.undertow.util.Methods;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.HashMap;
+import java.util.Map;
+
 /**
  * Created by steve on 01/09/16.
  */
 public class JwtVerifyHandlerTest {
+    static final Logger logger = LoggerFactory.getLogger(JwtVerifyHandlerTest.class);
+
+    static Undertow server = null;
+
+    @BeforeClass
+    public static void setUp() {
+        if(server == null) {
+            logger.info("starting server");
+            HttpHandler handler = getTestHandler();
+            JwtVerifyHandler jwtVerifyHandler = new JwtVerifyHandler();
+            jwtVerifyHandler.setNext(handler);
+            SwaggerHandler swaggerHandler = new SwaggerHandler();
+            swaggerHandler.setNext(jwtVerifyHandler);
+            server = Undertow.builder()
+                    .addHttpListener(8080, "localhost")
+                    .setHandler(swaggerHandler)
+                    .build();
+            server.start();
+        }
+    }
+
+    @AfterClass
+    public static void tearDown() throws Exception {
+        if(server != null) {
+            try {
+                Thread.sleep(100);
+            } catch (InterruptedException ignored) {
+
+            }
+            server.stop();
+            logger.info("The server is stopped.");
+        }
+    }
+
+    static RoutingHandler getTestHandler() {
+        return Handlers.routing()
+                .add(Methods.GET, "/v2/pet/{petId}", exchange -> {
+                    Map<String, Object> examples = new HashMap<>();
+                    examples.put("application/xml", StringEscapeUtils.unescapeHtml4("&lt;Pet&gt;  &lt;id&gt;123456&lt;/id&gt;  &lt;name&gt;doggie&lt;/name&gt;  &lt;photoUrls&gt;    &lt;photoUrls&gt;string&lt;/photoUrls&gt;  &lt;/photoUrls&gt;  &lt;tags&gt;  &lt;/tags&gt;  &lt;status&gt;string&lt;/status&gt;&lt;/Pet&gt;"));
+                    examples.put("application/json", StringEscapeUtils.unescapeHtml4("{  &quot;photoUrls&quot; : [ &quot;aeiou&quot; ],  &quot;name&quot; : &quot;doggie&quot;,  &quot;id&quot; : 123456789,  &quot;category&quot; : {    &quot;name&quot; : &quot;aeiou&quot;,    &quot;id&quot; : 123456789  },  &quot;tags&quot; : [ {    &quot;name&quot; : &quot;aeiou&quot;,    &quot;id&quot; : 123456789  } ],  &quot;status&quot; : &quot;aeiou&quot;}"));
+                    if(examples.size() > 0) {
+                        exchange.getResponseHeaders().add(new HttpString("Content-Type"), "application/json");
+                        exchange.getResponseSender().send((String)examples.get("application/json"));
+                    } else {
+                        exchange.endExchange();
+                    }
+                })
+                .add(Methods.GET, "/v2/pet", exchange -> exchange.getResponseSender().send("get"));
+    }
+
+    @Test
+    public void testWithRightScopeInIdToken() throws Exception {
+        String url = "http://localhost:8080/v2/pet/111";
+        CloseableHttpClient client = HttpClients.createDefault();
+        HttpGet httpGet = new HttpGet(url);
+        httpGet.setHeader("Authorization", "Bearer eyJraWQiOiIxMDAiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJ1cm46Y29tOm5ldHdvcmtudDpvYXV0aDI6djEiLCJhdWQiOiJ1cm46Y29tLm5ldHdvcmtudCIsImV4cCI6MTgwNTEzNjU1MSwianRpIjoiV0Z1VVZneE83dmxKUm5XUlllMjE1dyIsImlhdCI6MTQ4OTc3NjU1MSwibmJmIjoxNDg5Nzc2NDMxLCJ2ZXJzaW9uIjoiMS4wIiwidXNlcl9pZCI6InN0ZXZlIiwidXNlcl90eXBlIjoiRU1QTE9ZRUUiLCJjbGllbnRfaWQiOiJmN2Q0MjM0OC1jNjQ3LTRlZmItYTUyZC00YzU3ODc0MjFlNzIiLCJzY29wZSI6WyJ3cml0ZTpwZXRzIiwicmVhZDpwZXRzIl19.ZDlD_JbtHMqfx8EWOlOXI0zFGjB_pJ6yXWpxoE03o2yQnCUq1zypaDTJWSiy-BPIiQAxwDV09L3SN7RsOcgJ3y2LLFhgqIXhcHoePxoz52LPOeeiihG2kcrgBm-_VMq0uUykLrD-ljSmmSm1Hai_dx0WiYGAEJf-TiD1mgzIUTlhogYrjFKlp2NaYHxr7yjzEGefKv4DWdjtlEMmX_cXkqPgxra_omzyxeWE-n0b7f_r7Hr5HkxnmZ23gkZcvFXfVWKEp2t0_dYmNCbSVDavAjNanvmWsNThYNglFRvF0lm8kl7jkfMO1pTa0WLcBLvOO2y_jRWjieFCrc0ksbIrXA");
+        try {
+            CloseableHttpResponse response = client.execute(httpGet);
+            int statusCode = response.getStatusLine().getStatusCode();
+            String body = IOUtils.toString(response.getEntity().getContent(), "utf8");
+            Assert.assertEquals(200, statusCode);
+            if(statusCode == 200) {
+                Assert.assertNotNull(body);
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @Test
+    public void testUnmatchedScopeInIdToken() throws Exception {
+        String url = "http://localhost:8080/v2/pet/111";
+        CloseableHttpClient client = HttpClients.createDefault();
+        HttpGet httpGet = new HttpGet(url);
+        httpGet.setHeader("Authorization", "Bearer eyJraWQiOiIxMDAiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJ1cm46Y29tOm5ldHdvcmtudDpvYXV0aDI6djEiLCJhdWQiOiJ1cm46Y29tLm5ldHdvcmtudCIsImV4cCI6MTgwNTEzNjU1MSwianRpIjoiTVJiZHdlQ295eG13a2ZUM3lVWGloQSIsImlhdCI6MTQ4OTc3NjU1MSwibmJmIjoxNDg5Nzc2NDMxLCJ2ZXJzaW9uIjoiMS4wIiwidXNlcl9pZCI6ImVyaWMiLCJ1c2VyX3R5cGUiOiJFTVBMT1lFRSIsImNsaWVudF9pZCI6ImY3ZDQyMzQ4LWM2NDctNGVmYi1hNTJkLTRjNTc4NzQyMWU3MiIsInNjb3BlIjpbIkFUTVAxMDAwLnciLCJBVE1QMTAwMC5yIl19.VOEggO6UIMHNJLrxShGivCh7sGyHiz7h9FqDjlKwywGP9xKbVTTODy2-FitUaS1Y2vjiHlJ0TNyxmj1SO11YwYnJlW1zn-6vfKWKI70DyvRwsvSX_8Z2fj0jPUiBqezwKRtLCHSsmiEpMrW6YQHYw0qzZ9kkMhiH2uFpZNCekOQWL1piRn1xVQkUmeFiTDvJQESHadFzw-9x0klO7-SxgKeHHDroxnpbLv2j795oMTB1gM_wJP6HO_M-gK6N1Uh6zssfnbyFReRNWkhZFOp3Y8DvwpfKhqXIVGUc_5WsO9M-y66icClVNl5zwLSmjsrNtqZkmeBCwQ6skBnRLfMocQ");
+        try {
+            CloseableHttpResponse response = client.execute(httpGet);
+            int statusCode = response.getStatusLine().getStatusCode();
+            String body = IOUtils.toString(response.getEntity().getContent(), "utf8");
+            Assert.assertEquals(403, statusCode);
+            if(statusCode == 403) {
+                Assert.assertNotNull(body);
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
 }