-
Notifications
You must be signed in to change notification settings - Fork 263
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ELY-2564] Add the ability to disable OIDC access token typ claim val…
…idation via a system property
- Loading branch information
Showing
6 changed files
with
264 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
116 changes: 116 additions & 0 deletions
116
http/oidc/src/test/java/org/wildfly/security/http/oidc/TypClaimValidationBaseTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
/* | ||
* JBoss, Home of Professional Open Source. | ||
* Copyright 2023 Red Hat, Inc., and individual contributors | ||
* as indicated by the @author tags. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.wildfly.security.http.oidc; | ||
|
||
import com.nimbusds.jose.JOSEObjectType; | ||
import com.nimbusds.jose.JWSAlgorithm; | ||
import com.nimbusds.jose.JWSHeader; | ||
import com.nimbusds.jose.JWSObject; | ||
import com.nimbusds.jose.JWSSigner; | ||
import com.nimbusds.jose.Payload; | ||
import com.nimbusds.jose.crypto.RSASSASigner; | ||
|
||
import java.security.KeyPair; | ||
import java.security.KeyPairGenerator; | ||
import java.security.PrivateKey; | ||
|
||
import javax.json.Json; | ||
import javax.json.JsonObjectBuilder; | ||
|
||
import mockit.Mock; | ||
import mockit.MockUp; | ||
|
||
/** | ||
* Base test class for typ claim validation tests. | ||
* | ||
* @author <a href="mailto:fjuma@redhat.com">Farah Juma</a> | ||
*/ | ||
public class TypClaimValidationBaseTest { | ||
|
||
public static String ISSUER_URL = "http://localhost:8080/realms/myrealm"; | ||
public static String SUBJECT = "bf8ce366-0a74-4628-bd9a-1e69084ae558"; | ||
|
||
/** | ||
* The issuerUrl gets set using OIDC discovery. Since this test class isn't | ||
* making use of the Keycloak OpenID provider, we are mocking the return | ||
* value for the issuer URL. | ||
* | ||
* @param issuerUrl | ||
*/ | ||
protected static void mockIssuerUrl(String issuerUrl) { | ||
Class<?> classToMock; | ||
try { | ||
classToMock = Class.forName("org.wildfly.security.http.oidc.OidcClientConfiguration", | ||
true, OidcClientConfiguration.class.getClassLoader()); | ||
} catch (ClassNotFoundException e) { | ||
throw new NoClassDefFoundError(e.getMessage()); | ||
} | ||
new MockUp<Object>(classToMock) { | ||
@Mock | ||
public String getIssuerUrl() { | ||
return issuerUrl; | ||
} | ||
}; | ||
} | ||
|
||
protected static AccessToken testTokenValidationWithoutTypClaim() throws Exception { | ||
KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair(); | ||
HardcodedPublicKeyLocator hardcodedPublicKeyLocator = new HardcodedPublicKeyLocator(keyPair.getPublic()); | ||
|
||
OidcClientConfiguration clientConfiguration = new OidcClientConfiguration(); | ||
clientConfiguration.setClientId("clientWithoutTyp"); | ||
clientConfiguration.setPublicKeyLocator(hardcodedPublicKeyLocator); | ||
clientConfiguration.setProviderUrl(ISSUER_URL); | ||
clientConfiguration.setPublicClient(true); | ||
clientConfiguration.setPrincipalAttribute("preferred_username"); | ||
clientConfiguration.setSSLRequired(Oidc.SSLRequired.EXTERNAL); | ||
|
||
TokenValidator tokenValidator = TokenValidator.builder(clientConfiguration).build(); | ||
return tokenValidator.parseAndVerifyToken(createJwt(keyPair, 60, "1")); | ||
} | ||
|
||
private static String createJwt(KeyPair keyPair, int expirationOffset, String kid) throws Exception { | ||
PrivateKey privateKey = keyPair.getPrivate(); | ||
JWSSigner signer = new RSASSASigner(privateKey); | ||
JsonObjectBuilder claimsBuilder = createClaims(expirationOffset); | ||
|
||
JWSHeader.Builder headerBuilder = new JWSHeader.Builder(JWSAlgorithm.RS256) | ||
.type(new JOSEObjectType("jwt")); | ||
if (kid != null) { | ||
headerBuilder.keyID(kid); | ||
} | ||
|
||
JWSObject jwsObject = new JWSObject(headerBuilder.build(), new Payload(claimsBuilder.build().toString())); | ||
jwsObject.sign(signer); | ||
return jwsObject.serialize(); | ||
} | ||
|
||
private static JsonObjectBuilder createClaims(int expirationOffset) { | ||
// typ claim not included | ||
return Json.createObjectBuilder() | ||
.add("sub", SUBJECT) | ||
.add("iss", ISSUER_URL) | ||
.add("aud", "account") | ||
.add("exp", (System.currentTimeMillis() / 1000) + expirationOffset) | ||
.add("azp", "app") | ||
.add("scope", "profile email") | ||
.add("preferred_username", "alice"); | ||
} | ||
|
||
} |
60 changes: 60 additions & 0 deletions
60
http/oidc/src/test/java/org/wildfly/security/http/oidc/TypClaimValidationDisabledTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
/* | ||
* JBoss, Home of Professional Open Source. | ||
* Copyright 2023 Red Hat, Inc., and individual contributors | ||
* as indicated by the @author tags. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.wildfly.security.http.oidc; | ||
|
||
import static org.junit.Assert.assertEquals; | ||
import static org.wildfly.common.Assert.assertNotNull; | ||
import static org.wildfly.security.http.oidc.Oidc.DISABLE_TYP_CLAIM_VALIDATION_PROPERTY_NAME; | ||
|
||
import org.junit.AfterClass; | ||
import org.junit.BeforeClass; | ||
import org.junit.Test; | ||
|
||
/** | ||
* Tests for disabling typ claim validation. | ||
* | ||
* @author <a href="mailto:fjuma@redhat.com">Farah Juma</a> | ||
*/ | ||
public class TypClaimValidationDisabledTest extends TypClaimValidationBaseTest { | ||
|
||
private static String DISABLE_TYP_CLAIM_VALIDATION_PROPERTY; | ||
|
||
@BeforeClass | ||
public static void setUp() { | ||
mockIssuerUrl(ISSUER_URL); | ||
DISABLE_TYP_CLAIM_VALIDATION_PROPERTY = System.setProperty(DISABLE_TYP_CLAIM_VALIDATION_PROPERTY_NAME, "true"); | ||
} | ||
|
||
@AfterClass | ||
public static void tearDown() { | ||
if (DISABLE_TYP_CLAIM_VALIDATION_PROPERTY == null) { | ||
System.clearProperty(DISABLE_TYP_CLAIM_VALIDATION_PROPERTY_NAME); | ||
} else { | ||
System.setProperty(DISABLE_TYP_CLAIM_VALIDATION_PROPERTY_NAME, DISABLE_TYP_CLAIM_VALIDATION_PROPERTY); | ||
} | ||
} | ||
|
||
@Test | ||
public void testTokenWithoutTypClaimWithTypClaimValidationDisabled() throws Exception { | ||
AccessToken accessToken = testTokenValidationWithoutTypClaim(); | ||
assertNotNull(accessToken); | ||
assertEquals(ISSUER_URL, accessToken.getIssuer()); | ||
assertEquals("bf8ce366-0a74-4628-bd9a-1e69084ae558", accessToken.getSubject()); | ||
} | ||
} |
50 changes: 50 additions & 0 deletions
50
http/oidc/src/test/java/org/wildfly/security/http/oidc/TypClaimValidationEnabledTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
/* | ||
* JBoss, Home of Professional Open Source. | ||
* Copyright 2023 Red Hat, Inc., and individual contributors | ||
* as indicated by the @author tags. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.wildfly.security.http.oidc; | ||
|
||
import static org.junit.Assert.assertTrue; | ||
import static org.junit.Assert.fail; | ||
|
||
import org.junit.BeforeClass; | ||
import org.junit.Test; | ||
|
||
/** | ||
* Tests for typ claim validation. | ||
* | ||
* @author <a href="mailto:fjuma@redhat.com">Farah Juma</a> | ||
*/ | ||
public class TypClaimValidationEnabledTest extends TypClaimValidationBaseTest { | ||
|
||
private static String ISSUER_URL = "http://localhost:8080/realms/myrealm"; | ||
|
||
@BeforeClass | ||
public static void setUp() { | ||
mockIssuerUrl(ISSUER_URL); | ||
} | ||
|
||
@Test | ||
public void testTokenWithoutTypClaimWithTypClaimValidationEnabled() throws Exception { | ||
try { | ||
testTokenValidationWithoutTypClaim(); | ||
fail("Expected exception not thrown"); | ||
} catch (OidcException e) { | ||
assertTrue(e.getMessage().contains("Invalid bearer token")); | ||
} | ||
} | ||
} |