Browse Source
Closes gh-17302 Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>pull/17478/head
Tran Ngoc Nhan
6 months ago
committed by
Josh Cummings
8 changed files with 21 additions and 1244 deletions
@ -1,269 +0,0 @@
@@ -1,269 +0,0 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.server.resource.introspection; |
||||
|
||||
import java.net.URI; |
||||
import java.time.Instant; |
||||
import java.util.ArrayList; |
||||
import java.util.Collection; |
||||
import java.util.Collections; |
||||
import java.util.List; |
||||
import java.util.Map; |
||||
|
||||
import com.nimbusds.oauth2.sdk.ErrorObject; |
||||
import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse; |
||||
import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse; |
||||
import com.nimbusds.oauth2.sdk.http.HTTPResponse; |
||||
import com.nimbusds.oauth2.sdk.id.Audience; |
||||
import org.apache.commons.logging.Log; |
||||
import org.apache.commons.logging.LogFactory; |
||||
|
||||
import org.springframework.core.convert.converter.Converter; |
||||
import org.springframework.http.HttpHeaders; |
||||
import org.springframework.http.HttpMethod; |
||||
import org.springframework.http.MediaType; |
||||
import org.springframework.http.RequestEntity; |
||||
import org.springframework.http.ResponseEntity; |
||||
import org.springframework.http.client.support.BasicAuthenticationInterceptor; |
||||
import org.springframework.security.core.GrantedAuthority; |
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority; |
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; |
||||
import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames; |
||||
import org.springframework.util.Assert; |
||||
import org.springframework.util.LinkedMultiValueMap; |
||||
import org.springframework.util.MultiValueMap; |
||||
import org.springframework.web.client.RestOperations; |
||||
import org.springframework.web.client.RestTemplate; |
||||
|
||||
/** |
||||
* A Nimbus implementation of {@link OpaqueTokenIntrospector} that verifies and |
||||
* introspects a token using the configured |
||||
* <a href="https://tools.ietf.org/html/rfc7662" target="_blank">OAuth 2.0 Introspection |
||||
* Endpoint</a>. |
||||
* |
||||
* @author Josh Cummings |
||||
* @author MD Sayem Ahmed |
||||
* @since 5.2 |
||||
* @deprecated Please use {@link SpringOpaqueTokenIntrospector} instead |
||||
*/ |
||||
@Deprecated |
||||
public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector { |
||||
|
||||
private static final String AUTHORITY_PREFIX = "SCOPE_"; |
||||
|
||||
private final Log logger = LogFactory.getLog(getClass()); |
||||
|
||||
private final RestOperations restOperations; |
||||
|
||||
private Converter<String, RequestEntity<?>> requestEntityConverter; |
||||
|
||||
/** |
||||
* Creates a {@code OpaqueTokenAuthenticationProvider} with the provided parameters |
||||
* @param introspectionUri The introspection endpoint uri |
||||
* @param clientId The client id authorized to introspect |
||||
* @param clientSecret The client's secret |
||||
*/ |
||||
public NimbusOpaqueTokenIntrospector(String introspectionUri, String clientId, String clientSecret) { |
||||
Assert.notNull(introspectionUri, "introspectionUri cannot be null"); |
||||
Assert.notNull(clientId, "clientId cannot be null"); |
||||
Assert.notNull(clientSecret, "clientSecret cannot be null"); |
||||
this.requestEntityConverter = this.defaultRequestEntityConverter(URI.create(introspectionUri)); |
||||
RestTemplate restTemplate = new RestTemplate(); |
||||
restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(clientId, clientSecret)); |
||||
this.restOperations = restTemplate; |
||||
} |
||||
|
||||
/** |
||||
* Creates a {@code OpaqueTokenAuthenticationProvider} with the provided parameters |
||||
* |
||||
* The given {@link RestOperations} should perform its own client authentication |
||||
* against the introspection endpoint. |
||||
* @param introspectionUri The introspection endpoint uri |
||||
* @param restOperations The client for performing the introspection request |
||||
*/ |
||||
public NimbusOpaqueTokenIntrospector(String introspectionUri, RestOperations restOperations) { |
||||
Assert.notNull(introspectionUri, "introspectionUri cannot be null"); |
||||
Assert.notNull(restOperations, "restOperations cannot be null"); |
||||
this.requestEntityConverter = this.defaultRequestEntityConverter(URI.create(introspectionUri)); |
||||
this.restOperations = restOperations; |
||||
} |
||||
|
||||
private Converter<String, RequestEntity<?>> defaultRequestEntityConverter(URI introspectionUri) { |
||||
return (token) -> { |
||||
HttpHeaders headers = requestHeaders(); |
||||
MultiValueMap<String, String> body = requestBody(token); |
||||
return new RequestEntity<>(body, headers, HttpMethod.POST, introspectionUri); |
||||
}; |
||||
} |
||||
|
||||
private HttpHeaders requestHeaders() { |
||||
HttpHeaders headers = new HttpHeaders(); |
||||
headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON)); |
||||
return headers; |
||||
} |
||||
|
||||
private MultiValueMap<String, String> requestBody(String token) { |
||||
MultiValueMap<String, String> body = new LinkedMultiValueMap<>(); |
||||
body.add("token", token); |
||||
return body; |
||||
} |
||||
|
||||
@Override |
||||
public OAuth2AuthenticatedPrincipal introspect(String token) { |
||||
RequestEntity<?> requestEntity = this.requestEntityConverter.convert(token); |
||||
if (requestEntity == null) { |
||||
throw new OAuth2IntrospectionException("requestEntityConverter returned a null entity"); |
||||
} |
||||
ResponseEntity<String> responseEntity = makeRequest(requestEntity); |
||||
HTTPResponse httpResponse = adaptToNimbusResponse(responseEntity); |
||||
TokenIntrospectionResponse introspectionResponse = parseNimbusResponse(httpResponse); |
||||
TokenIntrospectionSuccessResponse introspectionSuccessResponse = castToNimbusSuccess(introspectionResponse); |
||||
// relying solely on the authorization server to validate this token (not checking
|
||||
// 'exp', for example)
|
||||
if (!introspectionSuccessResponse.isActive()) { |
||||
this.logger.trace("Did not validate token since it is inactive"); |
||||
throw new BadOpaqueTokenException("Provided token isn't active"); |
||||
} |
||||
return convertClaimsSet(introspectionSuccessResponse); |
||||
} |
||||
|
||||
/** |
||||
* Sets the {@link Converter} used for converting the OAuth 2.0 access token to a |
||||
* {@link RequestEntity} representation of the OAuth 2.0 token introspection request. |
||||
* @param requestEntityConverter the {@link Converter} used for converting to a |
||||
* {@link RequestEntity} representation of the token introspection request |
||||
*/ |
||||
public void setRequestEntityConverter(Converter<String, RequestEntity<?>> requestEntityConverter) { |
||||
Assert.notNull(requestEntityConverter, "requestEntityConverter cannot be null"); |
||||
this.requestEntityConverter = requestEntityConverter; |
||||
} |
||||
|
||||
private ResponseEntity<String> makeRequest(RequestEntity<?> requestEntity) { |
||||
try { |
||||
return this.restOperations.exchange(requestEntity, String.class); |
||||
} |
||||
catch (Exception ex) { |
||||
throw new OAuth2IntrospectionException(ex.getMessage(), ex); |
||||
} |
||||
} |
||||
|
||||
private HTTPResponse adaptToNimbusResponse(ResponseEntity<String> responseEntity) { |
||||
MediaType contentType = responseEntity.getHeaders().getContentType(); |
||||
|
||||
if (contentType == null) { |
||||
this.logger.trace("Did not receive Content-Type from introspection endpoint in response"); |
||||
|
||||
throw new OAuth2IntrospectionException( |
||||
"Introspection endpoint response was invalid, as no Content-Type header was provided"); |
||||
} |
||||
|
||||
// Nimbus expects JSON, but does not appear to validate this header first.
|
||||
if (!contentType.isCompatibleWith(MediaType.APPLICATION_JSON)) { |
||||
this.logger.trace("Did not receive JSON-compatible Content-Type from introspection endpoint in response"); |
||||
|
||||
throw new OAuth2IntrospectionException("Introspection endpoint response was invalid, as content type '" |
||||
+ contentType + "' is not compatible with JSON"); |
||||
} |
||||
|
||||
HTTPResponse response = new HTTPResponse(responseEntity.getStatusCode().value()); |
||||
response.setHeader(HttpHeaders.CONTENT_TYPE, contentType.toString()); |
||||
response.setContent(responseEntity.getBody()); |
||||
|
||||
if (response.getStatusCode() != HTTPResponse.SC_OK) { |
||||
this.logger.trace("Introspection endpoint returned non-OK status code"); |
||||
|
||||
throw new OAuth2IntrospectionException( |
||||
"Introspection endpoint responded with HTTP status code " + response.getStatusCode()); |
||||
} |
||||
return response; |
||||
} |
||||
|
||||
private TokenIntrospectionResponse parseNimbusResponse(HTTPResponse response) { |
||||
try { |
||||
return TokenIntrospectionResponse.parse(response); |
||||
} |
||||
catch (Exception ex) { |
||||
throw new OAuth2IntrospectionException(ex.getMessage(), ex); |
||||
} |
||||
} |
||||
|
||||
private TokenIntrospectionSuccessResponse castToNimbusSuccess(TokenIntrospectionResponse introspectionResponse) { |
||||
if (!introspectionResponse.indicatesSuccess()) { |
||||
ErrorObject errorObject = introspectionResponse.toErrorResponse().getErrorObject(); |
||||
String message = "Token introspection failed with response " + errorObject.toJSONObject().toJSONString(); |
||||
this.logger.trace(message); |
||||
throw new OAuth2IntrospectionException(message); |
||||
} |
||||
return (TokenIntrospectionSuccessResponse) introspectionResponse; |
||||
} |
||||
|
||||
private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse response) { |
||||
Collection<GrantedAuthority> authorities = new ArrayList<>(); |
||||
Map<String, Object> claims = response.toJSONObject(); |
||||
if (response.getAudience() != null) { |
||||
List<String> audiences = new ArrayList<>(); |
||||
for (Audience audience : response.getAudience()) { |
||||
audiences.add(audience.getValue()); |
||||
} |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.AUD, Collections.unmodifiableList(audiences)); |
||||
} |
||||
if (response.getClientID() != null) { |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, response.getClientID().getValue()); |
||||
} |
||||
if (response.getExpirationTime() != null) { |
||||
Instant exp = response.getExpirationTime().toInstant(); |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.EXP, exp); |
||||
} |
||||
if (response.getIssueTime() != null) { |
||||
Instant iat = response.getIssueTime().toInstant(); |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.IAT, iat); |
||||
} |
||||
if (response.getIssuer() != null) { |
||||
// RFC-7662 page 7 directs users to RFC-7519 for defining the values of these
|
||||
// issuer fields.
|
||||
// https://datatracker.ietf.org/doc/html/rfc7662#page-7
|
||||
//
|
||||
// RFC-7519 page 9 defines issuer fields as being 'case-sensitive' strings
|
||||
// containing
|
||||
// a 'StringOrURI', which is defined on page 5 as being any string, but
|
||||
// strings containing ':'
|
||||
// should be treated as valid URIs.
|
||||
// https://datatracker.ietf.org/doc/html/rfc7519#section-2
|
||||
//
|
||||
// It is not defined however as to whether-or-not normalized URIs should be
|
||||
// treated as the same literal
|
||||
// value. It only defines validation itself, so to avoid potential ambiguity
|
||||
// or unwanted side effects that
|
||||
// may be awkward to debug, we do not want to manipulate this value. Previous
|
||||
// versions of Spring Security
|
||||
// would *only* allow valid URLs, which is not what we wish to achieve here.
|
||||
claims.put(OAuth2TokenIntrospectionClaimNames.ISS, response.getIssuer().getValue()); |
||||
} |
||||
if (response.getNotBeforeTime() != null) { |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.NBF, response.getNotBeforeTime().toInstant()); |
||||
} |
||||
if (response.getScope() != null) { |
||||
List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList()); |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.SCOPE, scopes); |
||||
for (String scope : scopes) { |
||||
authorities.add(new SimpleGrantedAuthority(AUTHORITY_PREFIX + scope)); |
||||
} |
||||
} |
||||
return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities); |
||||
} |
||||
|
||||
} |
||||
@ -1,240 +0,0 @@
@@ -1,240 +0,0 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.server.resource.introspection; |
||||
|
||||
import java.net.URI; |
||||
import java.time.Instant; |
||||
import java.util.ArrayList; |
||||
import java.util.Collection; |
||||
import java.util.Collections; |
||||
import java.util.List; |
||||
import java.util.Map; |
||||
|
||||
import com.nimbusds.oauth2.sdk.ErrorObject; |
||||
import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse; |
||||
import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse; |
||||
import com.nimbusds.oauth2.sdk.http.HTTPResponse; |
||||
import com.nimbusds.oauth2.sdk.id.Audience; |
||||
import org.apache.commons.logging.Log; |
||||
import org.apache.commons.logging.LogFactory; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.core.io.buffer.DataBuffer; |
||||
import org.springframework.core.io.buffer.DataBufferUtils; |
||||
import org.springframework.http.HttpHeaders; |
||||
import org.springframework.http.MediaType; |
||||
import org.springframework.security.core.GrantedAuthority; |
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority; |
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; |
||||
import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames; |
||||
import org.springframework.util.Assert; |
||||
import org.springframework.web.reactive.function.BodyInserters; |
||||
import org.springframework.web.reactive.function.client.ClientResponse; |
||||
import org.springframework.web.reactive.function.client.WebClient; |
||||
|
||||
/** |
||||
* A Nimbus implementation of {@link ReactiveOpaqueTokenIntrospector} that verifies and |
||||
* introspects a token using the configured |
||||
* <a href="https://tools.ietf.org/html/rfc7662" target="_blank">OAuth 2.0 Introspection |
||||
* Endpoint</a>. |
||||
* |
||||
* @author Josh Cummings |
||||
* @since 5.2 |
||||
* @deprecated Please use {@link SpringReactiveOpaqueTokenIntrospector} instead |
||||
*/ |
||||
@Deprecated |
||||
public class NimbusReactiveOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector { |
||||
|
||||
private static final String AUTHORITY_PREFIX = "SCOPE_"; |
||||
|
||||
private final Log logger = LogFactory.getLog(getClass()); |
||||
|
||||
private final URI introspectionUri; |
||||
|
||||
private final WebClient webClient; |
||||
|
||||
/** |
||||
* Creates a {@code OpaqueTokenReactiveAuthenticationManager} with the provided |
||||
* parameters |
||||
* @param introspectionUri The introspection endpoint uri |
||||
* @param clientId The client id authorized to introspect |
||||
* @param clientSecret The client secret for the authorized client |
||||
*/ |
||||
public NimbusReactiveOpaqueTokenIntrospector(String introspectionUri, String clientId, String clientSecret) { |
||||
Assert.hasText(introspectionUri, "introspectionUri cannot be empty"); |
||||
Assert.hasText(clientId, "clientId cannot be empty"); |
||||
Assert.notNull(clientSecret, "clientSecret cannot be null"); |
||||
this.introspectionUri = URI.create(introspectionUri); |
||||
this.webClient = WebClient.builder().defaultHeaders((h) -> h.setBasicAuth(clientId, clientSecret)).build(); |
||||
} |
||||
|
||||
/** |
||||
* Creates a {@code OpaqueTokenReactiveAuthenticationManager} with the provided |
||||
* parameters |
||||
* @param introspectionUri The introspection endpoint uri |
||||
* @param webClient The client for performing the introspection request |
||||
*/ |
||||
public NimbusReactiveOpaqueTokenIntrospector(String introspectionUri, WebClient webClient) { |
||||
Assert.hasText(introspectionUri, "introspectionUri cannot be null"); |
||||
Assert.notNull(webClient, "webClient cannot be null"); |
||||
this.introspectionUri = URI.create(introspectionUri); |
||||
this.webClient = webClient; |
||||
} |
||||
|
||||
@Override |
||||
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) { |
||||
// @formatter:off
|
||||
return this.makeRequest(token) |
||||
.exchangeToMono(this::adaptToNimbusResponse) |
||||
.map(this::parseNimbusResponse) |
||||
.map(this::castToNimbusSuccess) |
||||
.doOnNext((response) -> validate(token, response)) |
||||
.map(this::convertClaimsSet) |
||||
.onErrorMap((e) -> !(e instanceof OAuth2IntrospectionException), this::onError); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
private WebClient.RequestHeadersSpec<?> makeRequest(String token) { |
||||
// @formatter:off
|
||||
return this.webClient.post() |
||||
.uri(this.introspectionUri) |
||||
.header(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE) |
||||
.body(BodyInserters.fromFormData("token", token)); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
private Mono<HTTPResponse> adaptToNimbusResponse(ClientResponse responseEntity) { |
||||
MediaType contentType = responseEntity.headers().contentType().orElseThrow(() -> { |
||||
this.logger.trace("Did not receive Content-Type from introspection endpoint in response"); |
||||
|
||||
return new OAuth2IntrospectionException( |
||||
"Introspection endpoint response was invalid, as no Content-Type header was provided"); |
||||
}); |
||||
|
||||
// Nimbus expects JSON, but does not appear to validate this header first.
|
||||
if (!contentType.isCompatibleWith(MediaType.APPLICATION_JSON)) { |
||||
this.logger.trace("Did not receive JSON-compatible Content-Type from introspection endpoint in response"); |
||||
|
||||
throw new OAuth2IntrospectionException("Introspection endpoint response was invalid, as content type '" |
||||
+ contentType + "' is not compatible with JSON"); |
||||
} |
||||
|
||||
HTTPResponse response = new HTTPResponse(responseEntity.statusCode().value()); |
||||
response.setHeader(HttpHeaders.CONTENT_TYPE, contentType.toString()); |
||||
if (response.getStatusCode() != HTTPResponse.SC_OK) { |
||||
this.logger.trace("Introspection endpoint returned non-OK status code"); |
||||
|
||||
// @formatter:off
|
||||
return responseEntity.bodyToFlux(DataBuffer.class) |
||||
.map(DataBufferUtils::release) |
||||
.then(Mono.error(new OAuth2IntrospectionException( |
||||
"Introspection endpoint responded with HTTP status code " + response.getStatusCode())) |
||||
); |
||||
// @formatter:on
|
||||
} |
||||
return responseEntity.bodyToMono(String.class).doOnNext(response::setContent).map((body) -> response); |
||||
} |
||||
|
||||
private TokenIntrospectionResponse parseNimbusResponse(HTTPResponse response) { |
||||
try { |
||||
return TokenIntrospectionResponse.parse(response); |
||||
} |
||||
catch (Exception ex) { |
||||
throw new OAuth2IntrospectionException(ex.getMessage(), ex); |
||||
} |
||||
} |
||||
|
||||
private TokenIntrospectionSuccessResponse castToNimbusSuccess(TokenIntrospectionResponse introspectionResponse) { |
||||
if (!introspectionResponse.indicatesSuccess()) { |
||||
ErrorObject errorObject = introspectionResponse.toErrorResponse().getErrorObject(); |
||||
String message = "Token introspection failed with response " + errorObject.toJSONObject().toJSONString(); |
||||
this.logger.trace(message); |
||||
throw new OAuth2IntrospectionException(message); |
||||
} |
||||
return (TokenIntrospectionSuccessResponse) introspectionResponse; |
||||
} |
||||
|
||||
private void validate(String token, TokenIntrospectionSuccessResponse response) { |
||||
// relying solely on the authorization server to validate this token (not checking
|
||||
// 'exp', for example)
|
||||
if (!response.isActive()) { |
||||
this.logger.trace("Did not validate token since it is inactive"); |
||||
throw new BadOpaqueTokenException("Provided token isn't active"); |
||||
} |
||||
} |
||||
|
||||
private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse response) { |
||||
Map<String, Object> claims = response.toJSONObject(); |
||||
Collection<GrantedAuthority> authorities = new ArrayList<>(); |
||||
if (response.getAudience() != null) { |
||||
List<String> audiences = new ArrayList<>(); |
||||
for (Audience audience : response.getAudience()) { |
||||
audiences.add(audience.getValue()); |
||||
} |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.AUD, Collections.unmodifiableList(audiences)); |
||||
} |
||||
if (response.getClientID() != null) { |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, response.getClientID().getValue()); |
||||
} |
||||
if (response.getExpirationTime() != null) { |
||||
Instant exp = response.getExpirationTime().toInstant(); |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.EXP, exp); |
||||
} |
||||
if (response.getIssueTime() != null) { |
||||
Instant iat = response.getIssueTime().toInstant(); |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.IAT, iat); |
||||
} |
||||
if (response.getIssuer() != null) { |
||||
// RFC-7662 page 7 directs users to RFC-7519 for defining the values of these
|
||||
// issuer fields.
|
||||
// https://datatracker.ietf.org/doc/html/rfc7662#page-7
|
||||
//
|
||||
// RFC-7519 page 9 defines issuer fields as being 'case-sensitive' strings
|
||||
// containing
|
||||
// a 'StringOrURI', which is defined on page 5 as being any string, but
|
||||
// strings containing ':'
|
||||
// should be treated as valid URIs.
|
||||
// https://datatracker.ietf.org/doc/html/rfc7519#section-2
|
||||
//
|
||||
// It is not defined however as to whether-or-not normalized URIs should be
|
||||
// treated as the same literal
|
||||
// value. It only defines validation itself, so to avoid potential ambiguity
|
||||
// or unwanted side effects that
|
||||
// may be awkward to debug, we do not want to manipulate this value. Previous
|
||||
// versions of Spring Security
|
||||
// would *only* allow valid URLs, which is not what we wish to achieve here.
|
||||
claims.put(OAuth2TokenIntrospectionClaimNames.ISS, response.getIssuer().getValue()); |
||||
} |
||||
if (response.getNotBeforeTime() != null) { |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.NBF, response.getNotBeforeTime().toInstant()); |
||||
} |
||||
if (response.getScope() != null) { |
||||
List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList()); |
||||
claims.put(OAuth2TokenIntrospectionClaimNames.SCOPE, scopes); |
||||
|
||||
for (String scope : scopes) { |
||||
authorities.add(new SimpleGrantedAuthority(AUTHORITY_PREFIX + scope)); |
||||
} |
||||
} |
||||
return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities); |
||||
} |
||||
|
||||
private OAuth2IntrospectionException onError(Throwable ex) { |
||||
return new OAuth2IntrospectionException(ex.getMessage(), ex); |
||||
} |
||||
|
||||
} |
||||
@ -1,383 +0,0 @@
@@ -1,383 +0,0 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.server.resource.introspection; |
||||
|
||||
import java.io.IOException; |
||||
import java.time.Instant; |
||||
import java.util.Arrays; |
||||
import java.util.Base64; |
||||
import java.util.HashMap; |
||||
import java.util.Map; |
||||
import java.util.Optional; |
||||
|
||||
import net.minidev.json.JSONArray; |
||||
import net.minidev.json.JSONObject; |
||||
import okhttp3.mockwebserver.Dispatcher; |
||||
import okhttp3.mockwebserver.MockResponse; |
||||
import okhttp3.mockwebserver.MockWebServer; |
||||
import okhttp3.mockwebserver.RecordedRequest; |
||||
import org.junit.jupiter.api.Test; |
||||
import org.junit.jupiter.params.ParameterizedTest; |
||||
import org.junit.jupiter.params.provider.ValueSource; |
||||
|
||||
import org.springframework.core.convert.converter.Converter; |
||||
import org.springframework.http.HttpHeaders; |
||||
import org.springframework.http.HttpStatus; |
||||
import org.springframework.http.MediaType; |
||||
import org.springframework.http.RequestEntity; |
||||
import org.springframework.http.ResponseEntity; |
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; |
||||
import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames; |
||||
import org.springframework.web.client.RestOperations; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; |
||||
import static org.assertj.core.api.Assumptions.assumeThat; |
||||
import static org.mockito.ArgumentMatchers.any; |
||||
import static org.mockito.ArgumentMatchers.eq; |
||||
import static org.mockito.BDDMockito.given; |
||||
import static org.mockito.Mockito.mock; |
||||
import static org.mockito.Mockito.verify; |
||||
|
||||
/** |
||||
* Tests for {@link NimbusOpaqueTokenIntrospector} |
||||
*/ |
||||
public class NimbusOpaqueTokenIntrospectorTests { |
||||
|
||||
private static final String INTROSPECTION_URL = "https://server.example.com"; |
||||
|
||||
private static final String CLIENT_ID = "client"; |
||||
|
||||
private static final String CLIENT_SECRET = "secret"; |
||||
|
||||
// @formatter:off
|
||||
private static final String ACTIVE_RESPONSE = "{\n" |
||||
+ " \"active\": true,\n" |
||||
+ " \"client_id\": \"l238j323ds-23ij4\",\n" |
||||
+ " \"username\": \"jdoe\",\n" |
||||
+ " \"scope\": \"read write dolphin\",\n" |
||||
+ " \"sub\": \"Z5O3upPC88QrAjx00dis\",\n" |
||||
+ " \"aud\": \"https://protected.example.net/resource\",\n" |
||||
+ " \"iss\": \"https://server.example.com/\",\n" |
||||
+ " \"exp\": 1419356238,\n" |
||||
+ " \"iat\": 1419350238,\n" |
||||
+ " \"extension_field\": \"twenty-seven\"\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
private static final String INACTIVE_RESPONSE = "{\n" |
||||
+ " \"active\": false\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
private static final String INVALID_RESPONSE = "{\n" |
||||
+ " \"client_id\": \"l238j323ds-23ij4\",\n" |
||||
+ " \"username\": \"jdoe\",\n" |
||||
+ " \"scope\": \"read write dolphin\",\n" |
||||
+ " \"sub\": \"Z5O3upPC88QrAjx00dis\",\n" |
||||
+ " \"aud\": \"https://protected.example.net/resource\",\n" |
||||
+ " \"iss\": \"https://server.example.com/\",\n" |
||||
+ " \"exp\": 1419356238,\n" |
||||
+ " \"iat\": 1419350238,\n" |
||||
+ " \"extension_field\": \"twenty-seven\"\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
private static final String MALFORMED_ISSUER_RESPONSE = "{\n" |
||||
+ " \"active\" : \"true\",\n" |
||||
+ " \"iss\" : \"badissuer\"\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
private static final String MALFORMED_SCOPE_RESPONSE = "{\n" |
||||
+ " \"active\": true,\n" |
||||
+ " \"client_id\": \"l238j323ds-23ij4\",\n" |
||||
+ " \"username\": \"jdoe\",\n" |
||||
+ " \"scope\": [ \"read\", \"write\", \"dolphin\" ],\n" |
||||
+ " \"sub\": \"Z5O3upPC88QrAjx00dis\",\n" |
||||
+ " \"aud\": \"https://protected.example.net/resource\",\n" |
||||
+ " \"iss\": \"https://server.example.com/\",\n" |
||||
+ " \"exp\": 1419356238,\n" |
||||
+ " \"iat\": 1419350238,\n" |
||||
+ " \"extension_field\": \"twenty-seven\"\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
private static final ResponseEntity<String> ACTIVE = response(ACTIVE_RESPONSE); |
||||
|
||||
private static final ResponseEntity<String> INACTIVE = response(INACTIVE_RESPONSE); |
||||
|
||||
private static final ResponseEntity<String> INVALID = response(INVALID_RESPONSE); |
||||
|
||||
private static final ResponseEntity<String> MALFORMED_ISSUER = response(MALFORMED_ISSUER_RESPONSE); |
||||
|
||||
private static final ResponseEntity<String> MALFORMED_SCOPE = response(MALFORMED_SCOPE_RESPONSE); |
||||
|
||||
@Test |
||||
public void introspectWhenActiveTokenThenOk() throws Exception { |
||||
try (MockWebServer server = new MockWebServer()) { |
||||
server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE)); |
||||
String introspectUri = server.url("/introspect").toString(); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(introspectUri, CLIENT_ID, |
||||
CLIENT_SECRET); |
||||
OAuth2AuthenticatedPrincipal authority = introspectionClient.introspect("token"); |
||||
// @formatter:off
|
||||
assertThat(authority.getAttributes()) |
||||
.isNotNull() |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.ACTIVE, true) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.AUD, |
||||
Arrays.asList("https://protected.example.net/resource")) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, "l238j323ds-23ij4") |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.EXP, Instant.ofEpochSecond(1419356238)) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.ISS, "https://server.example.com/") |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.SCOPE, Arrays.asList("read", "write", "dolphin")) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.SUB, "Z5O3upPC88QrAjx00dis") |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.USERNAME, "jdoe") |
||||
.containsEntry("extension_field", "twenty-seven"); |
||||
// @formatter:on
|
||||
} |
||||
} |
||||
|
||||
@Test |
||||
public void introspectWhenBadClientCredentialsThenError() throws IOException { |
||||
try (MockWebServer server = new MockWebServer()) { |
||||
server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE)); |
||||
String introspectUri = server.url("/introspect").toString(); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(introspectUri, CLIENT_ID, |
||||
"wrong"); |
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token")); |
||||
} |
||||
} |
||||
|
||||
@Test |
||||
public void introspectWhenInactiveTokenThenInvalidToken() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(INACTIVE); |
||||
// @formatter:off
|
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token")) |
||||
.withMessage("Provided token isn't active"); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
@Test |
||||
public void introspectWhenActiveTokenThenParsesValuesInResponse() { |
||||
Map<String, Object> introspectedValues = new HashMap<>(); |
||||
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.ACTIVE, true); |
||||
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("aud")); |
||||
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.NBF, 29348723984L); |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))) |
||||
.willReturn(response(new JSONObject(introspectedValues).toJSONString())); |
||||
OAuth2AuthenticatedPrincipal authority = introspectionClient.introspect("token"); |
||||
// @formatter:off
|
||||
assertThat(authority.getAttributes()) |
||||
.isNotNull() |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.ACTIVE, true) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("aud")) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.NBF, Instant.ofEpochSecond(29348723984L)) |
||||
.doesNotContainKey(OAuth2TokenIntrospectionClaimNames.CLIENT_ID) |
||||
.doesNotContainKey(OAuth2TokenIntrospectionClaimNames.SCOPE); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
@Test |
||||
public void introspectWhenIntrospectionEndpointThrowsExceptionThenInvalidToken() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))) |
||||
.willThrow(new IllegalStateException("server was unresponsive")); |
||||
// @formatter:off
|
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token")) |
||||
.withMessage("server was unresponsive"); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
@Test |
||||
public void introspectWhenIntrospectionEndpointReturnsMalformedResponseThenInvalidToken() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(response("malformed")); |
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token")); |
||||
} |
||||
|
||||
@Test |
||||
public void introspectWhenIntrospectionTokenReturnsInvalidResponseThenInvalidToken() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(INVALID); |
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token")); |
||||
} |
||||
|
||||
@Test |
||||
public void introspectWhenIntrospectionTokenReturnsMalformedIssuerResponseThenInvalidToken() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(MALFORMED_ISSUER); |
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token")); |
||||
} |
||||
|
||||
// gh-7563
|
||||
@Test |
||||
public void introspectWhenIntrospectionTokenReturnsMalformedScopeThenEmptyAuthorities() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(MALFORMED_SCOPE); |
||||
OAuth2AuthenticatedPrincipal principal = introspectionClient.introspect("token"); |
||||
assertThat(principal.getAuthorities()).isEmpty(); |
||||
JSONArray scope = principal.getAttribute("scope"); |
||||
assertThat(scope).containsExactly("read", "write", "dolphin"); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenIntrospectionUriIsNullThenIllegalArgumentException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new NimbusOpaqueTokenIntrospector(null, CLIENT_ID, CLIENT_SECRET)); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenClientIdIsNullThenIllegalArgumentException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, null, CLIENT_SECRET)); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenClientSecretIsNullThenIllegalArgumentException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, CLIENT_ID, null)); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenRestOperationsIsNullThenIllegalArgumentException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, null)); |
||||
} |
||||
|
||||
@Test |
||||
public void setRequestEntityConverterWhenConverterIsNullThenExceptionIsThrown() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
NimbusOpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
assertThatExceptionOfType(IllegalArgumentException.class) |
||||
.isThrownBy(() -> introspectionClient.setRequestEntityConverter(null)); |
||||
} |
||||
|
||||
@SuppressWarnings("unchecked") |
||||
@Test |
||||
public void setRequestEntityConverterWhenNonNullConverterGivenThenConverterUsed() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
Converter<String, RequestEntity<?>> requestEntityConverter = mock(Converter.class); |
||||
RequestEntity requestEntity = mock(RequestEntity.class); |
||||
String tokenToIntrospect = "some token"; |
||||
given(requestEntityConverter.convert(tokenToIntrospect)).willReturn(requestEntity); |
||||
given(restOperations.exchange(requestEntity, String.class)).willReturn(ACTIVE); |
||||
NimbusOpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
introspectionClient.setRequestEntityConverter(requestEntityConverter); |
||||
introspectionClient.introspect(tokenToIntrospect); |
||||
verify(requestEntityConverter).convert(tokenToIntrospect); |
||||
} |
||||
|
||||
@Test |
||||
public void handleMissingContentType() { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
ResponseEntity<String> stubResponse = ResponseEntity.ok(ACTIVE_RESPONSE); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(stubResponse); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
|
||||
// Protect against potential regressions where a default content type might be
|
||||
// added by default.
|
||||
assumeThat(stubResponse.getHeaders().getContentType()).isNull(); |
||||
|
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("sometokenhere")); |
||||
} |
||||
|
||||
@ParameterizedTest(name = "{displayName} when Content-Type={0}") |
||||
@ValueSource(strings = { MediaType.APPLICATION_CBOR_VALUE, MediaType.TEXT_MARKDOWN_VALUE, |
||||
MediaType.APPLICATION_XML_VALUE, MediaType.APPLICATION_OCTET_STREAM_VALUE }) |
||||
public void handleNonJsonContentType(String type) { |
||||
RestOperations restOperations = mock(RestOperations.class); |
||||
ResponseEntity<String> stubResponse = ResponseEntity.ok() |
||||
.contentType(MediaType.parseMediaType(type)) |
||||
.body(ACTIVE_RESPONSE); |
||||
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(stubResponse); |
||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, |
||||
restOperations); |
||||
|
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("sometokenhere")); |
||||
} |
||||
|
||||
private static ResponseEntity<String> response(String content) { |
||||
HttpHeaders headers = new HttpHeaders(); |
||||
headers.setContentType(MediaType.APPLICATION_JSON); |
||||
return new ResponseEntity<>(content, headers, HttpStatus.OK); |
||||
} |
||||
|
||||
private static Dispatcher requiresAuth(String username, String password, String response) { |
||||
return new Dispatcher() { |
||||
@Override |
||||
public MockResponse dispatch(RecordedRequest request) { |
||||
String authorization = request.getHeader(HttpHeaders.AUTHORIZATION); |
||||
// @formatter:off
|
||||
return Optional.ofNullable(authorization) |
||||
.filter((a) -> isAuthorized(authorization, username, password)) |
||||
.map((a) -> ok(response)) |
||||
.orElse(unauthorized()); |
||||
// @formatter:on
|
||||
} |
||||
}; |
||||
} |
||||
|
||||
private static boolean isAuthorized(String authorization, String username, String password) { |
||||
String[] values = new String(Base64.getDecoder().decode(authorization.substring(6))).split(":"); |
||||
return username.equals(values[0]) && password.equals(values[1]); |
||||
} |
||||
|
||||
private static MockResponse ok(String response) { |
||||
// @formatter:off
|
||||
return new MockResponse().setBody(response) |
||||
.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
private static MockResponse unauthorized() { |
||||
return new MockResponse().setResponseCode(401); |
||||
} |
||||
|
||||
} |
||||
@ -1,331 +0,0 @@
@@ -1,331 +0,0 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.server.resource.introspection; |
||||
|
||||
import java.io.IOException; |
||||
import java.time.Instant; |
||||
import java.util.Arrays; |
||||
import java.util.Base64; |
||||
import java.util.HashMap; |
||||
import java.util.Map; |
||||
import java.util.Optional; |
||||
import java.util.function.Function; |
||||
|
||||
import net.minidev.json.JSONObject; |
||||
import okhttp3.mockwebserver.Dispatcher; |
||||
import okhttp3.mockwebserver.MockResponse; |
||||
import okhttp3.mockwebserver.MockWebServer; |
||||
import okhttp3.mockwebserver.RecordedRequest; |
||||
import org.junit.jupiter.api.Test; |
||||
import org.junit.jupiter.params.ParameterizedTest; |
||||
import org.junit.jupiter.params.provider.ValueSource; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.http.HttpHeaders; |
||||
import org.springframework.http.HttpStatus; |
||||
import org.springframework.http.MediaType; |
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; |
||||
import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames; |
||||
import org.springframework.web.reactive.function.client.ClientResponse; |
||||
import org.springframework.web.reactive.function.client.WebClient; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; |
||||
import static org.mockito.ArgumentMatchers.any; |
||||
import static org.mockito.BDDMockito.given; |
||||
import static org.mockito.Mockito.mock; |
||||
import static org.mockito.Mockito.spy; |
||||
|
||||
/** |
||||
* Tests for {@link NimbusReactiveOpaqueTokenIntrospector} |
||||
*/ |
||||
public class NimbusReactiveOpaqueTokenIntrospectorTests { |
||||
|
||||
private static final String INTROSPECTION_URL = "https://server.example.com"; |
||||
|
||||
private static final String CLIENT_ID = "client"; |
||||
|
||||
private static final String CLIENT_SECRET = "secret"; |
||||
|
||||
// @formatter:off
|
||||
private static final String ACTIVE_RESPONSE = "{\n" |
||||
+ " \"active\": true,\n" |
||||
+ " \"client_id\": \"l238j323ds-23ij4\",\n" |
||||
+ " \"username\": \"jdoe\",\n" |
||||
+ " \"scope\": \"read write dolphin\",\n" |
||||
+ " \"sub\": \"Z5O3upPC88QrAjx00dis\",\n" |
||||
+ " \"aud\": \"https://protected.example.net/resource\",\n" |
||||
+ " \"iss\": \"https://server.example.com/\",\n" |
||||
+ " \"exp\": 1419356238,\n" |
||||
+ " \"iat\": 1419350238,\n" |
||||
+ " \"extension_field\": \"twenty-seven\"\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
private static final String INACTIVE_RESPONSE = "{\n" |
||||
+ " \"active\": false\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
private static final String INVALID_RESPONSE = "{\n" |
||||
+ " \"client_id\": \"l238j323ds-23ij4\",\n" |
||||
+ " \"username\": \"jdoe\",\n" |
||||
+ " \"scope\": \"read write dolphin\",\n" |
||||
+ " \"sub\": \"Z5O3upPC88QrAjx00dis\",\n" |
||||
+ " \"aud\": \"https://protected.example.net/resource\",\n" |
||||
+ " \"iss\": \"https://server.example.com/\",\n" |
||||
+ " \"exp\": 1419356238,\n" |
||||
+ " \"iat\": 1419350238,\n" |
||||
+ " \"extension_field\": \"twenty-seven\"\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
private static final String MALFORMED_ISSUER_RESPONSE = "{\n" |
||||
+ " \"active\" : \"true\",\n" |
||||
+ " \"iss\" : \"badissuer\"\n" |
||||
+ " }"; |
||||
// @formatter:on
|
||||
|
||||
@Test |
||||
public void authenticateWhenActiveTokenThenOk() throws Exception { |
||||
try (MockWebServer server = new MockWebServer()) { |
||||
server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE)); |
||||
String introspectUri = server.url("/introspect").toString(); |
||||
NimbusReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
introspectUri, CLIENT_ID, CLIENT_SECRET); |
||||
OAuth2AuthenticatedPrincipal authority = introspectionClient.introspect("token").block(); |
||||
// @formatter:off
|
||||
assertThat(authority.getAttributes()) |
||||
.isNotNull() |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.ACTIVE, true) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.AUD, |
||||
Arrays.asList("https://protected.example.net/resource")) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, "l238j323ds-23ij4") |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.EXP, Instant.ofEpochSecond(1419356238)) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.ISS, "https://server.example.com/") |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.SCOPE, Arrays.asList("read", "write", "dolphin")) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.SUB, "Z5O3upPC88QrAjx00dis") |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.USERNAME, "jdoe") |
||||
.containsEntry("extension_field", "twenty-seven"); |
||||
// @formatter:on
|
||||
} |
||||
} |
||||
|
||||
@Test |
||||
public void authenticateWhenBadClientCredentialsThenAuthenticationException() throws IOException { |
||||
try (MockWebServer server = new MockWebServer()) { |
||||
server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE)); |
||||
String introspectUri = server.url("/introspect").toString(); |
||||
NimbusReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
introspectUri, CLIENT_ID, "wrong"); |
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token").block()); |
||||
|
||||
} |
||||
} |
||||
|
||||
@Test |
||||
public void authenticateWhenInactiveTokenThenInvalidToken() { |
||||
WebClient webClient = mockResponse(INACTIVE_RESPONSE); |
||||
NimbusReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
INTROSPECTION_URL, webClient); |
||||
assertThatExceptionOfType(BadOpaqueTokenException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token").block()) |
||||
.withMessage("Provided token isn't active"); |
||||
} |
||||
|
||||
@Test |
||||
public void authenticateWhenActiveTokenThenParsesValuesInResponse() { |
||||
Map<String, Object> introspectedValues = new HashMap<>(); |
||||
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.ACTIVE, true); |
||||
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("aud")); |
||||
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.NBF, 29348723984L); |
||||
WebClient webClient = mockResponse(new JSONObject(introspectedValues).toJSONString()); |
||||
NimbusReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
INTROSPECTION_URL, webClient); |
||||
OAuth2AuthenticatedPrincipal authority = introspectionClient.introspect("token").block(); |
||||
// @formatter:off
|
||||
assertThat(authority.getAttributes()) |
||||
.isNotNull() |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.ACTIVE, true) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("aud")) |
||||
.containsEntry(OAuth2TokenIntrospectionClaimNames.NBF, Instant.ofEpochSecond(29348723984L)) |
||||
.doesNotContainKey(OAuth2TokenIntrospectionClaimNames.CLIENT_ID) |
||||
.doesNotContainKey(OAuth2TokenIntrospectionClaimNames.SCOPE); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
@Test |
||||
public void authenticateWhenIntrospectionEndpointThrowsExceptionThenInvalidToken() { |
||||
WebClient webClient = mockResponse(new IllegalStateException("server was unresponsive")); |
||||
NimbusReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
INTROSPECTION_URL, webClient); |
||||
// @formatter:off
|
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token").block()) |
||||
.withMessage("server was unresponsive"); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
@Test |
||||
public void authenticateWhenIntrospectionEndpointReturnsMalformedResponseThenInvalidToken() { |
||||
WebClient webClient = mockResponse("malformed"); |
||||
NimbusReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
INTROSPECTION_URL, webClient); |
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token").block()); |
||||
} |
||||
|
||||
@Test |
||||
public void authenticateWhenIntrospectionTokenReturnsInvalidResponseThenInvalidToken() { |
||||
WebClient webClient = mockResponse(INVALID_RESPONSE); |
||||
NimbusReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
INTROSPECTION_URL, webClient); |
||||
// @formatter:off
|
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token").block()); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
@Test |
||||
public void authenticateWhenIntrospectionTokenReturnsMalformedIssuerResponseThenInvalidToken() { |
||||
WebClient webClient = mockResponse(MALFORMED_ISSUER_RESPONSE); |
||||
NimbusReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
INTROSPECTION_URL, webClient); |
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("token").block()); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenIntrospectionUriIsEmptyThenIllegalArgumentException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new NimbusReactiveOpaqueTokenIntrospector("", CLIENT_ID, CLIENT_SECRET)); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenClientIdIsEmptyThenIllegalArgumentException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, "", CLIENT_SECRET)); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenClientSecretIsNullThenIllegalArgumentException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, CLIENT_ID, null)); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenRestOperationsIsNullThenIllegalArgumentException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, null)); |
||||
} |
||||
|
||||
@Test |
||||
public void handleMissingContentType() { |
||||
WebClient client = mockResponse(ACTIVE_RESPONSE, null); |
||||
|
||||
ReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
INTROSPECTION_URL, client); |
||||
|
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("sometokenhere").block()); |
||||
} |
||||
|
||||
@ParameterizedTest(name = "{displayName} when Content-Type={0}") |
||||
@ValueSource(strings = { MediaType.APPLICATION_CBOR_VALUE, MediaType.TEXT_MARKDOWN_VALUE, |
||||
MediaType.APPLICATION_XML_VALUE, MediaType.APPLICATION_OCTET_STREAM_VALUE }) |
||||
public void handleNonJsonContentType(String type) { |
||||
WebClient client = mockResponse(ACTIVE_RESPONSE, type); |
||||
|
||||
ReactiveOpaqueTokenIntrospector introspectionClient = new NimbusReactiveOpaqueTokenIntrospector( |
||||
INTROSPECTION_URL, client); |
||||
|
||||
assertThatExceptionOfType(OAuth2IntrospectionException.class) |
||||
.isThrownBy(() -> introspectionClient.introspect("sometokenhere").block()); |
||||
} |
||||
|
||||
private WebClient mockResponse(String response) { |
||||
return mockResponse(response, MediaType.APPLICATION_JSON_VALUE); |
||||
} |
||||
|
||||
private WebClient mockResponse(String response, String mediaType) { |
||||
WebClient.ResponseSpec responseSpec = mock(WebClient.ResponseSpec.class); |
||||
WebClient real = WebClient.builder().build(); |
||||
WebClient.RequestBodyUriSpec spec = spy(real.post()); |
||||
WebClient webClient = spy(WebClient.class); |
||||
given(webClient.post()).willReturn(spec); |
||||
ClientResponse clientResponse = mock(ClientResponse.class); |
||||
given(clientResponse.statusCode()).willReturn(HttpStatus.OK); |
||||
given(clientResponse.bodyToMono(String.class)).willReturn(Mono.just(response)); |
||||
ClientResponse.Headers headers = mock(ClientResponse.Headers.class); |
||||
given(headers.contentType()).willReturn(Optional.ofNullable(mediaType).map(MediaType::parseMediaType)); |
||||
given(clientResponse.headers()).willReturn(headers); |
||||
given(responseSpec.bodyToMono(ClientResponse.class)).willReturn(Mono.just(clientResponse)); |
||||
given(spec.exchangeToMono(any())).willAnswer((invocation) -> { |
||||
Object[] args = invocation.getArguments(); |
||||
Function<ClientResponse, Mono<ClientResponse>> fn = (Function<ClientResponse, Mono<ClientResponse>>) args[0]; |
||||
return fn.apply(clientResponse); |
||||
}); |
||||
given(spec.retrieve()).willReturn(responseSpec); |
||||
return webClient; |
||||
} |
||||
|
||||
private WebClient mockResponse(Throwable ex) { |
||||
WebClient real = WebClient.builder().build(); |
||||
WebClient.RequestBodyUriSpec spec = spy(real.post()); |
||||
WebClient webClient = spy(WebClient.class); |
||||
given(webClient.post()).willReturn(spec); |
||||
given(spec.exchangeToMono(any())).willReturn(Mono.error(ex)); |
||||
return webClient; |
||||
} |
||||
|
||||
private static Dispatcher requiresAuth(String username, String password, String response) { |
||||
return new Dispatcher() { |
||||
@Override |
||||
public MockResponse dispatch(RecordedRequest request) { |
||||
String authorization = request.getHeader(HttpHeaders.AUTHORIZATION); |
||||
// @formatter:off
|
||||
return Optional.ofNullable(authorization) |
||||
.filter((a) -> isAuthorized(authorization, username, password)) |
||||
.map((a) -> ok(response)) |
||||
.orElse(unauthorized()); |
||||
// @formatter:on
|
||||
} |
||||
}; |
||||
} |
||||
|
||||
private static boolean isAuthorized(String authorization, String username, String password) { |
||||
String[] values = new String(Base64.getDecoder().decode(authorization.substring(6))).split(":"); |
||||
return username.equals(values[0]) && password.equals(values[1]); |
||||
} |
||||
|
||||
private static MockResponse ok(String response) { |
||||
// @formatter:off
|
||||
return new MockResponse().setBody(response) |
||||
.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
private static MockResponse unauthorized() { |
||||
return new MockResponse().setResponseCode(401); |
||||
} |
||||
|
||||
} |
||||
Loading…
Reference in new issue