Gitiles
Code Review Sign In
korap.ids-mannheim.de / KorAP / Kustvakt / ee0cbfe85415d207d3a3926d76c6b15cfe89c6ba / . / full / src / test / java / de / ids_mannheim / korap / web / controller / OAuth2ClientControllerTest.java
blob: c7f06e1228f5ec37e4af16194dd8171f078308ca [file] [log] [blame]
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]1package de.ids_mannheim.korap.web.controller;
2
3import static org.junit.Assert.assertEquals;
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]4import static org.junit.Assert.assertNotNull;
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]5import static org.junit.Assert.assertTrue;
6
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]7import java.util.List;
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]8import java.util.Map.Entry;
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]9import java.util.Set;
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]10
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]11import javax.ws.rs.core.MultivaluedMap;
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]12
13import org.apache.http.entity.ContentType;
14import org.junit.Test;
15
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]16import com.fasterxml.jackson.databind.JsonNode;
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]17import com.google.common.net.HttpHeaders;
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]18import com.sun.jersey.api.client.ClientHandlerException;
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]19import com.sun.jersey.api.client.ClientResponse;
20import com.sun.jersey.api.client.ClientResponse.Status;
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]21import com.sun.jersey.api.client.UniformInterfaceException;
22import com.sun.jersey.core.util.MultivaluedMapImpl;
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]23import com.sun.jersey.spi.container.ContainerRequest;
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]24
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]25import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
26import de.ids_mannheim.korap.config.Attributes;
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]27import de.ids_mannheim.korap.exceptions.KustvaktException;
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]28import de.ids_mannheim.korap.exceptions.StatusCodes;
margarethaa452c5e2018-04-25 22:48:09 +0200[diff] [blame]29import de.ids_mannheim.korap.oauth2.constant.OAuth2ClientType;
30import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]31import de.ids_mannheim.korap.utils.JsonUtils;
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]32import de.ids_mannheim.korap.web.input.OAuth2ClientJson;
33
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]34/**
35 * @author margaretha
36 *
37 */
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]38public class OAuth2ClientControllerTest extends OAuth2TestBase {
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]39
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]40 private String username = "OAuth2ClientControllerTest";
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]41 private String userAuthHeader;
42
43 public OAuth2ClientControllerTest () throws KustvaktException {
44 userAuthHeader = HttpAuthorizationHandler
45 .createBasicAuthorizationHeaderValue("dory", "password");
46 }
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]47
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]48 private void checkWWWAuthenticateHeader (ClientResponse response) {
49 Set<Entry<String, List<String>>> headers =
50 response.getHeaders().entrySet();
51
52 for (Entry<String, List<String>> header : headers) {
53 if (header.getKey().equals(ContainerRequest.WWW_AUTHENTICATE)) {
54 assertEquals("Basic realm=\"Kustvakt\"",
55 header.getValue().get(0));
56 }
57 }
58 }
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]59
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]60 private ClientResponse registerConfidentialClient ()
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]61 throws KustvaktException {
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]62
63 OAuth2ClientJson json = new OAuth2ClientJson();
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]64 json.setName("OAuth2ClientTest");
65 json.setType(OAuth2ClientType.CONFIDENTIAL);
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]66 json.setUrl("http://example.client.com");
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]67 json.setRedirectURI("https://example.client.com/redirect");
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]68 json.setDescription("This is a confidential test client.");
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]69
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]70 return resource().path(API_VERSION).path("oauth2").path("client").path("register")
margaretha064eb6f2018-07-10 18:33:01 +0200[diff] [blame]71 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
72 .createBasicAuthorizationHeaderValue(username, "pass"))
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]73 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
74 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
75 .entity(json).post(ClientResponse.class);
76 }
77
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]78 private JsonNode retrieveClientInfo (String clientId, String username)
79 throws UniformInterfaceException, ClientHandlerException,
80 KustvaktException {
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]81 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]82 .path("info").path(clientId)
83 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
84 .createBasicAuthorizationHeaderValue(username, "pass"))
85 .get(ClientResponse.class);
86
87 assertEquals(Status.OK.getStatusCode(), response.getStatus());
88
89 String entity = response.getEntity(String.class);
90 return JsonUtils.readTree(entity);
91 }
92
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]93 @Test
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]94 public void testRegisterConfidentialClient () throws KustvaktException {
95 ClientResponse response = registerConfidentialClient();
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]96 String entity = response.getEntity(String.class);
97 assertEquals(Status.OK.getStatusCode(), response.getStatus());
98 JsonNode node = JsonUtils.readTree(entity);
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]99 String clientId = node.at("/client_id").asText();
100 String clientSecret = node.at("/client_secret").asText();
101 assertNotNull(clientId);
102 assertNotNull(clientSecret);
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]103
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]104 testRegisterClientNonUniqueURL();
105
106 String newclientSecret =
107 testResetConfidentialClientSecret(clientId, clientSecret);
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]108
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]109 testDeregisterConfidentialClientMissingSecret(clientId);
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]110 testDeregisterClientIncorrectCredentials(clientId, clientSecret);
111 testDeregisterConfidentialClient(clientId, newclientSecret);
112 }
113
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]114 private void testRegisterClientNonUniqueURL () throws KustvaktException {
115 ClientResponse response = registerConfidentialClient();
116 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
117 JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
118 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]119 }
120
121 @Test
122 public void testRegisterPublicClient () throws UniformInterfaceException,
123 ClientHandlerException, KustvaktException {
124 OAuth2ClientJson json = new OAuth2ClientJson();
125 json.setName("OAuth2PublicClient");
126 json.setType(OAuth2ClientType.PUBLIC);
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]127 json.setUrl("http://test.public.client.com");
128 json.setRedirectURI("https://test.public.client.com/redirect");
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]129 json.setDescription("This is a public test client.");
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]130
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]131 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]132 .path("register")
margaretha064eb6f2018-07-10 18:33:01 +0200[diff] [blame]133 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
134 .createBasicAuthorizationHeaderValue(username, "pass"))
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]135 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]136 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
137 .entity(json).post(ClientResponse.class);
138
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]139 String entity = response.getEntity(String.class);
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]140 assertEquals(Status.OK.getStatusCode(), response.getStatus());
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]141 JsonNode node = JsonUtils.readTree(entity);
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]142 String clientId = node.at("/client_id").asText();
143 assertNotNull(clientId);
144 assertTrue(node.at("/client_secret").isMissingNode());
145
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]146 testResetPublicClientSecret(clientId);
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]147 testAccessTokenAfterDeregistration(clientId, null);
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]148 }
149
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]150 @Test
margarethad7cab212018-07-02 19:01:43 +0200[diff] [blame]151 public void testRegisterDesktopApp () throws UniformInterfaceException,
152 ClientHandlerException, KustvaktException {
153 OAuth2ClientJson json = new OAuth2ClientJson();
154 json.setName("OAuth2DesktopClient");
155 json.setType(OAuth2ClientType.PUBLIC);
156 json.setDescription("This is a desktop test client.");
157
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]158 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margarethad7cab212018-07-02 19:01:43 +0200[diff] [blame]159 .path("register")
margaretha064eb6f2018-07-10 18:33:01 +0200[diff] [blame]160 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
161 .createBasicAuthorizationHeaderValue(username, "pass"))
margarethad7cab212018-07-02 19:01:43 +0200[diff] [blame]162 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
163 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
164 .entity(json).post(ClientResponse.class);
165
166 String entity = response.getEntity(String.class);
167 assertEquals(Status.OK.getStatusCode(), response.getStatus());
168 JsonNode node = JsonUtils.readTree(entity);
169 String clientId = node.at("/client_id").asText();
170 assertNotNull(clientId);
171 assertTrue(node.at("/client_secret").isMissingNode());
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]172
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]173 testDeregisterPublicClientMissingUserAuthentication(clientId);
174 testDeregisterPublicClientMissingId();
175 testDeregisterPublicClient(clientId);
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]176 }
177
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]178 private void testAccessTokenAfterDeregistration (String clientId,
179 String clientSecret) throws KustvaktException {
180 String userAuthHeader = HttpAuthorizationHandler
181 .createBasicAuthorizationHeaderValue("dory", "password");
182
183 String code =
184 requestAuthorizationCode(clientId, "", null, userAuthHeader);
185 ClientResponse response = requestTokenWithAuthorizationCodeAndForm(clientId,
186 clientSecret, code);
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]187 JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
188 String accessToken = node.at("/access_token").asText();
189
190 response = searchWithAccessToken(accessToken);
191 assertEquals(Status.OK.getStatusCode(), response.getStatus());
192
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]193 code = requestAuthorizationCode(clientId, "", null, userAuthHeader);
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]194 testDeregisterPublicClient(clientId);
195
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]196 response = requestTokenWithAuthorizationCodeAndForm(clientId,
197 clientSecret, code);
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]198 assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
199 node = JsonUtils.readTree(response.getEntity(String.class));
200 assertEquals(OAuth2Error.INVALID_CLIENT.toString(),
201 node.at("/error").asText());
202
203 response = searchWithAccessToken(accessToken);
204 assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
205 node = JsonUtils.readTree(response.getEntity(String.class));
206 assertEquals(StatusCodes.INVALID_ACCESS_TOKEN,
207 node.at("/errors/0/0").asInt());
208 assertEquals("Access token has been revoked",
209 node.at("/errors/0/1").asText());
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]210 }
211
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]212 private void testDeregisterPublicClientMissingUserAuthentication (
213 String clientId) throws UniformInterfaceException,
214 ClientHandlerException, KustvaktException {
215
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]216 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]217 .path("deregister").path(clientId).delete(ClientResponse.class);
218
219 assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
220
221 String entity = response.getEntity(String.class);
222 JsonNode node = JsonUtils.readTree(entity);
223 assertEquals(StatusCodes.AUTHORIZATION_FAILED,
224 node.at("/errors/0/0").asInt());
225 }
226
227 private void testDeregisterPublicClientMissingId ()
228 throws UniformInterfaceException, ClientHandlerException,
229 KustvaktException {
230
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]231 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]232 .path("deregister")
margaretha064eb6f2018-07-10 18:33:01 +0200[diff] [blame]233 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]234 .createBasicAuthorizationHeaderValue(username, "pass"))
235 .delete(ClientResponse.class);
236
237 assertEquals(Status.NOT_FOUND.getStatusCode(), response.getStatus());
238 }
239
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]240 private void testDeregisterPublicClient (String clientId)
241 throws UniformInterfaceException, ClientHandlerException,
242 KustvaktException {
243
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]244 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]245 .path("deregister").path(clientId)
margaretha064eb6f2018-07-10 18:33:01 +0200[diff] [blame]246 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]247 .createBasicAuthorizationHeaderValue(username, "pass"))
248 .delete(ClientResponse.class);
margaretha8d804f62018-04-10 12:39:56 +0200[diff] [blame]249
250 assertEquals(Status.OK.getStatusCode(), response.getStatus());
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]251 }
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]252
253 private void testDeregisterConfidentialClient (String clientId,
254 String clientSecret) throws UniformInterfaceException,
255 ClientHandlerException, KustvaktException {
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]256
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]257 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
258 form.add("client_secret", clientSecret);
259
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]260 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]261 .path("deregister").path(clientId)
margaretha064eb6f2018-07-10 18:33:01 +0200[diff] [blame]262 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
263 .createBasicAuthorizationHeaderValue(username, "pass"))
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]264 .header(HttpHeaders.CONTENT_TYPE,
265 ContentType.APPLICATION_FORM_URLENCODED)
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]266 .entity(form).delete(ClientResponse.class);
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]267
268 assertEquals(Status.OK.getStatusCode(), response.getStatus());
269 }
270
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]271 private void testDeregisterConfidentialClientMissingSecret (String clientId)
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]272 throws KustvaktException {
273
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]274 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]275 .path("deregister").path(clientId)
margaretha064eb6f2018-07-10 18:33:01 +0200[diff] [blame]276 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
277 .createBasicAuthorizationHeaderValue(username, "pass"))
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]278 .header(HttpHeaders.CONTENT_TYPE,
279 ContentType.APPLICATION_FORM_URLENCODED)
280 .delete(ClientResponse.class);
281
282 String entity = response.getEntity(String.class);
283 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
284
285 JsonNode node = JsonUtils.readTree(entity);
margarethad7cab212018-07-02 19:01:43 +0200[diff] [blame]286 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]287 assertEquals("Missing parameters: client_secret",
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]288 node.at("/error_description").asText());
289 }
290
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]291 private void testDeregisterClientIncorrectCredentials (String clientId,
292 String clientSecret) throws UniformInterfaceException,
293 ClientHandlerException, KustvaktException {
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]294
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]295 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]296 form.add("client_secret", clientSecret);
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]297
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]298 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]299 .path("deregister").path(clientId)
margaretha064eb6f2018-07-10 18:33:01 +0200[diff] [blame]300 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
301 .createBasicAuthorizationHeaderValue(username, "pass"))
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]302 .header(HttpHeaders.CONTENT_TYPE,
303 ContentType.APPLICATION_FORM_URLENCODED)
margaretha80ea0dd2018-07-03 14:22:59 +0200[diff] [blame]304 .entity(form).delete(ClientResponse.class);
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]305
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]306 String entity = response.getEntity(String.class);
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]307 assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]308
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]309 JsonNode node = JsonUtils.readTree(entity);
margarethad7cab212018-07-02 19:01:43 +0200[diff] [blame]310 assertEquals(OAuth2Error.INVALID_CLIENT, node.at("/error").asText());
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]311 assertEquals("Invalid client credentials",
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]312 node.at("/error_description").asText());
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]313
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]314 checkWWWAuthenticateHeader(response);
margarethafb1e0992018-04-10 14:58:28 +0200[diff] [blame]315 }
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]316
317 private void testResetPublicClientSecret (String clientId)
318 throws UniformInterfaceException, ClientHandlerException,
319 KustvaktException {
320 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
321 form.add("client_id", clientId);
322
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]323 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]324 .path("reset")
325 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
326 .createBasicAuthorizationHeaderValue(username, "pass"))
327 .header(HttpHeaders.CONTENT_TYPE,
328 ContentType.APPLICATION_FORM_URLENCODED)
329 .entity(form).post(ClientResponse.class);
330
331 String entity = response.getEntity(String.class);
332 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
333 JsonNode node = JsonUtils.readTree(entity);
334 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
335 assertEquals("Operation is not allowed for public clients",
336 node.at("/error_description").asText());
337 }
338
339 private String testResetConfidentialClientSecret (String clientId,
340 String clientSecret) throws UniformInterfaceException,
341 ClientHandlerException, KustvaktException {
342 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
343 form.add("client_id", clientId);
344 form.add("client_secret", clientSecret);
345
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]346 ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
margaretha7f5071f2018-08-14 15:58:51 +0200[diff] [blame]347 .path("reset")
348 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
349 .createBasicAuthorizationHeaderValue(username, "pass"))
350 .header(HttpHeaders.CONTENT_TYPE,
351 ContentType.APPLICATION_FORM_URLENCODED)
352 .entity(form).post(ClientResponse.class);
353
354 String entity = response.getEntity(String.class);
355 assertEquals(Status.OK.getStatusCode(), response.getStatus());
356
357 JsonNode node = JsonUtils.readTree(entity);
358 assertEquals(clientId, node.at("/client_id").asText());
359
360 String newClientSecret = node.at("/client_secret").asText();
361 assertTrue(!clientSecret.equals(newClientSecret));
362
363 return newClientSecret;
364 }
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]365
366 @Test
367 public void testUpdateClientPrivilege () throws KustvaktException {
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]368 // register a client
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]369 ClientResponse response = registerConfidentialClient();
370 JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
371 String clientId = node.at("/client_id").asText();
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]372 String clientSecret = node.at("/client_secret").asText();
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]373
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]374 // request an access token
375 String clientAuthHeader = HttpAuthorizationHandler
376 .createBasicAuthorizationHeaderValue(clientId, clientSecret);
377 String code = requestAuthorizationCode(clientId, clientSecret, null,
378 userAuthHeader);
379 node = requestTokenWithAuthorizationCodeAndHeader(clientId, code,
380 clientAuthHeader);
381 String accessToken = node.at("/access_token").asText();
382
383 testAccessTokenAfterUpgradingClient(clientId, accessToken);
384 testAccessTokenAfterDegradingSuperClient(clientId, accessToken);
385 }
386
387 // old access tokens retain their scopes
388 private void testAccessTokenAfterUpgradingClient (String clientId,
389 String accessToken) throws KustvaktException {
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]390 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
391 form.add("client_id", clientId);
392 form.add("super", "true");
393
394 updateClientPrivilege(form);
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]395 JsonNode node = retrieveClientInfo(clientId, "admin");
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]396 assertTrue(node.at("/isSuper").asBoolean());
397
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]398 // list vc
margarethaee0cbfe2018-08-28 17:47:14 +0200[diff] [blame^]399 ClientResponse response = resource().path(API_VERSION).path("vc").path("list")
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]400 .header(Attributes.AUTHORIZATION, "Bearer " + accessToken)
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]401 .get(ClientResponse.class);
402
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]403 assertEquals(ClientResponse.Status.UNAUTHORIZED.getStatusCode(),
404 response.getStatus());
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]405 String entity = response.getEntity(String.class);
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]406 node = JsonUtils.readTree(entity);
407 assertEquals(StatusCodes.AUTHORIZATION_FAILED,
408 node.at("/errors/0/0").asInt());
409 assertEquals("Scope vc_info is not authorized",
410 node.at("/errors/0/1").asText());
411
412 // search
413 response = searchWithAccessToken(accessToken);
414 assertEquals(Status.OK.getStatusCode(), response.getStatus());
415 }
416
417 private void testAccessTokenAfterDegradingSuperClient (String clientId,
418 String accessToken) throws KustvaktException {
419 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
420 form.add("client_id", clientId);
421 form.add("super", "false");
422
423 updateClientPrivilege(form);
424 JsonNode node = retrieveClientInfo(clientId, username);
425 assertTrue(node.at("/isSuper").isMissingNode());
426
427 ClientResponse response = searchWithAccessToken(accessToken);
428 assertEquals(ClientResponse.Status.UNAUTHORIZED.getStatusCode(),
429 response.getStatus());
430
431 String entity = response.getEntity(String.class);
432 node = JsonUtils.readTree(entity);
433 assertEquals(StatusCodes.INVALID_ACCESS_TOKEN,
434 node.at("/errors/0/0").asInt());
435 assertEquals("Access token has been revoked",
436 node.at("/errors/0/1").asText());
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]437 }
margaretha31a9f522018-04-03 20:40:45 +0200[diff] [blame]438}