GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add Test for Malformed Scope 

Fixes gh-7563
pull/7579/head
Josh Cummings 6 years ago
parent
badb0a08c6
commit
ed02ef9773
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
1 changed files with 33 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 33
      oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospectorTests.java

33
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospectorTests.java
Unescape View File

@ -25,6 +25,7 @@ import java.util.HashMap; @@ -25,6 +25,7 @@ import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import okhttp3.mockwebserver.Dispatcher;
import okhttp3.mockwebserver.MockResponse;
@ -100,10 +101,24 @@ public class NimbusOpaqueTokenIntrospectorTests { @@ -100,10 +101,24 @@ public class NimbusOpaqueTokenIntrospectorTests {
" \"iss\" : \"badissuer\"\n" +
" }";
private static final String MALFORMED_SCOPE_RESPONSE = "{\n" +
" \"active\": true,\n" +
" \"client_id\": \"l238j323ds-23ij4\",\n" +
" \"username\": \"jdoe\",\n" +
" \"scope\": [ \"read\", \"write\", \"dolphin\" ],\n" +
" \"sub\": \"Z5O3upPC88QrAjx00dis\",\n" +
" \"aud\": \"https://protected.example.net/resource\",\n" +
" \"iss\": \"https://server.example.com/\",\n" +
" \"exp\": 1419356238,\n" +
" \"iat\": 1419350238,\n" +
" \"extension_field\": \"twenty-seven\"\n" +
" }";
private static final ResponseEntity<String> ACTIVE = response(ACTIVE_RESPONSE);
private static final ResponseEntity<String> INACTIVE = response(INACTIVE_RESPONSE);
private static final ResponseEntity<String> INVALID = response(INVALID_RESPONSE);
private static final ResponseEntity<String> MALFORMED_ISSUER = response(MALFORMED_ISSUER_RESPONSE);
private static final ResponseEntity<String> MALFORMED_SCOPE = response(MALFORMED_SCOPE_RESPONSE);
@Test
public void introspectWhenActiveTokenThenOk() throws Exception {
@ -230,6 +245,24 @@ public class NimbusOpaqueTokenIntrospectorTests { @@ -230,6 +245,24 @@ public class NimbusOpaqueTokenIntrospectorTests {
.isInstanceOf(OAuth2IntrospectionException.class);
}
// gh-7563
@Test
public void introspectWhenIntrospectionTokenReturnsMalformedScopeThenEmptyAuthorities() {
RestOperations restOperations = mock(RestOperations.class);
OpaqueTokenIntrospector introspectionClient =
new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations);
when(restOperations.exchange(any(RequestEntity.class), eq(String.class)))
.thenReturn(MALFORMED_SCOPE);
OAuth2AuthenticatedPrincipal principal = introspectionClient.introspect("token");
assertThat(principal.getAuthorities()).isEmpty();
assertThat((Object) principal.getAttribute("scope"))
.isNotNull()
.isInstanceOf(JSONArray.class);
JSONArray scope = principal.getAttribute("scope");
assertThat(scope).containsExactly("read", "write", "dolphin");
}
@Test
public void constructorWhenIntrospectionUriIsNullThenIllegalArgumentException() {
assertThatCode(() -> new NimbusOpaqueTokenIntrospector(null, CLIENT_ID, CLIENT_SECRET))

Write Preview
Loading…
Cancel
Save