Gitiles
Code Review Sign In
korap.ids-mannheim.de / KorAP / Kustvakt / ffb895089f101a7ec5484052ca0253558f8feb6f / . / full / src / test / java / de / ids_mannheim / korap / web / controller / OAuth2ControllerTest.java
blob: a7d108cb17e11788869b48c7e59ca992b0e765a0 [file] [log] [blame]
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]1package de.ids_mannheim.korap.web.controller;
2
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]3import static org.junit.Assert.assertEquals;
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]4import static org.junit.Assert.assertNotNull;
margaretha6f0b7382018-11-21 17:42:02 +0100[diff] [blame]5import static org.junit.Assert.assertTrue;
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]6
7import java.net.URI;
margaretha93e602e2019-08-07 15:19:56 +0200[diff] [blame]8import java.util.Set;
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]9
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]10import javax.ws.rs.core.MultivaluedMap;
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]11import javax.ws.rs.core.Response.Status;
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]12
13import org.apache.http.entity.ContentType;
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]14import org.apache.oltu.oauth2.common.error.OAuthError;
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]15import org.apache.oltu.oauth2.common.message.types.GrantType;
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]16import org.apache.oltu.oauth2.common.message.types.TokenType;
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]17import org.junit.Test;
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]18
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]19import com.fasterxml.jackson.databind.JsonNode;
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]20import com.google.common.net.HttpHeaders;
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]21import com.sun.jersey.api.client.ClientResponse;
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]22import com.sun.jersey.core.util.MultivaluedMapImpl;
23
24import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]25import de.ids_mannheim.korap.config.Attributes;
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]26import de.ids_mannheim.korap.exceptions.KustvaktException;
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]27import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
margaretha93e602e2019-08-07 15:19:56 +0200[diff] [blame]28import de.ids_mannheim.korap.oauth2.entity.AccessScope;
29import de.ids_mannheim.korap.oauth2.entity.RefreshToken;
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]30import de.ids_mannheim.korap.utils.JsonUtils;
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]31
32/**
33 * @author margaretha
34 *
35 */
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]36public class OAuth2ControllerTest extends OAuth2TestBase {
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]37
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]38 public String userAuthHeader;
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]39
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]40 public OAuth2ControllerTest () throws KustvaktException {
41 userAuthHeader = HttpAuthorizationHandler
42 .createBasicAuthorizationHeaderValue("dory", "password");
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]43 }
44
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]45 @Test
46 public void testAuthorizeConfidentialClient () throws KustvaktException {
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]47 // with registered redirect URI
48 ClientResponse response =
49 requestAuthorizationCode("code", confidentialClientId, "",
50 "match_info search client_info", state, userAuthHeader);
margarethadc515072018-08-03 17:01:19 +0200[diff] [blame]51
52 assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
53 response.getStatus());
54 URI redirectUri = response.getLocation();
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]55 MultivaluedMap<String, String> params =
56 getQueryParamsFromURI(redirectUri);
margarethadc515072018-08-03 17:01:19 +0200[diff] [blame]57 assertNotNull(params.getFirst("code"));
58 assertEquals("thisIsMyState", params.getFirst("state"));
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]59 assertEquals("match_info search client_info", params.getFirst("scope"));
margarethadc515072018-08-03 17:01:19 +0200[diff] [blame]60 }
61
62 @Test
63 public void testAuthorizePublicClient () throws KustvaktException {
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]64 // with registered redirect URI
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]65 String code = requestAuthorizationCode(publicClientId, userAuthHeader);
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]66 assertNotNull(code);
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]67 }
68
69 @Test
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]70 public void testAuthorizePublicClientWithRedirectUri () throws KustvaktException {
71 ClientResponse response =
72 requestAuthorizationCode("code", publicClientId2,
73 "https://public.com/redirect", "", "", userAuthHeader);
74 assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
75 response.getStatus());
76
77 URI redirectUri = response.getLocation();
78 assertEquals(redirectUri.getScheme(), "https");
79 assertEquals(redirectUri.getHost(), "public.com");
80 assertEquals(redirectUri.getPath(), "/redirect");
81
82 String[] queryParts = redirectUri.getQuery().split("&");
83 assertTrue(queryParts[0].startsWith("code="));
84 assertEquals(queryParts[1], "scope=match_info+search");
85 }
86
87 @Test
88 public void testAuthorizeWithoutScope () throws KustvaktException {
89 ClientResponse response = requestAuthorizationCode("code",
90 confidentialClientId, "", "", "", userAuthHeader);
91 assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
92 response.getStatus());
93
94 URI redirectUri = response.getLocation();
95 assertEquals(redirectUri.getScheme(), "https");
96 assertEquals(redirectUri.getHost(), "third.party.com");
97 assertEquals(redirectUri.getPath(), "/confidential/redirect");
98
99 String[] queryParts = redirectUri.getQuery().split("&");
100 assertTrue(queryParts[0].startsWith("code="));
101 assertEquals(queryParts[1], "scope=match_info+search");
102 }
103
104 @Test
105 public void testAuthorizeMissingClientId () throws KustvaktException {
106 ClientResponse response = requestAuthorizationCode("code", "", "", "",
107 "", userAuthHeader);
108 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
109 String entity = response.getEntity(String.class);
110 JsonNode node = JsonUtils.readTree(entity);
111 assertEquals("Missing parameters: client_id",
112 node.at("/error_description").asText());
113 }
114
115 @Test
116 public void testAuthorizeMissingRedirectUri () throws KustvaktException {
117 ClientResponse response = requestAuthorizationCode("code",
118 publicClientId2, "", "", state, userAuthHeader);
119 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
120
121 String entity = response.getEntity(String.class);
122 JsonNode node = JsonUtils.readTree(entity);
123 assertEquals(OAuthError.CodeResponse.INVALID_REQUEST,
124 node.at("/error").asText());
125 assertEquals("Redirect URI is required",
126 node.at("/error_description").asText());
127 assertEquals("thisIsMyState", node.at("/state").asText());
128 }
129
130 @Test
131 public void testAuthorizeMissingResponseType () throws KustvaktException {
132 ClientResponse response = requestAuthorizationCode("",
133 confidentialClientId, "", "", "", userAuthHeader);
134 assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
135 response.getStatus());
136
137 assertEquals("https://third.party.com/confidential/redirect?"
138 + "error_description=Missing+parameters%3A+response_type&"
139 + "error=invalid_request", response.getLocation().toString());
140 }
141
142 @Test
143 public void testAuthorizeInvalidClientId () throws KustvaktException {
144 ClientResponse response = requestAuthorizationCode("code",
145 "unknown-client-id", "", "", "", userAuthHeader);
146// assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
147 String entity = response.getEntity(String.class);
148 System.out.println(entity);
149 JsonNode node = JsonUtils.readTree(entity);
150 assertEquals("Unknown client with unknown-client-id.",
151 node.at("/error_description").asText());
152 }
153
154 @Test
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]155 public void testAuthorizeInvalidRedirectUri () throws KustvaktException {
156 String redirectUri = "https://different.uri/redirect";
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]157 ClientResponse response = requestAuthorizationCode("code",
158 confidentialClientId, redirectUri, "", state, userAuthHeader);
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]159
160 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
161
162 String entity = response.getEntity(String.class);
163 JsonNode node = JsonUtils.readTree(entity);
164 assertEquals(OAuthError.CodeResponse.INVALID_REQUEST,
165 node.at("/error").asText());
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]166 assertEquals("Invalid redirect URI",
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]167 node.at("/error_description").asText());
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]168 assertEquals("thisIsMyState", node.at("/state").asText());
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]169 }
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]170
171 @Test
172 public void testAuthorizeInvalidResponseType () throws KustvaktException {
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]173 // without redirect URI in the request
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]174 ClientResponse response = requestAuthorizationCode("string",
175 confidentialClientId, "", "", state, userAuthHeader);
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]176 assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
177 response.getStatus());
178
179 assertEquals("https://third.party.com/confidential/redirect?"
180 + "error_description=Invalid+response_type+parameter+"
181 + "value&state=thisIsMyState&" + "error=invalid_request",
182 response.getLocation().toString());
183
184 // with redirect URI, and no registered redirect URI
185 response = requestAuthorizationCode("string", publicClientId2,
186 "https://public.client.com/redirect", "", state,
187 userAuthHeader);
188 assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
189 response.getStatus());
190
191 assertEquals("https://public.client.com/redirect?error_description="
192 + "Invalid+response_type+parameter+value&state=thisIsMyState&"
193 + "error=invalid_request", response.getLocation().toString());
194
195 // with different redirect URI
196 String redirectUri = "https://different.uri/redirect";
197 response = requestAuthorizationCode("string", confidentialClientId,
198 redirectUri, "", state, userAuthHeader);
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]199 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
200
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]201 JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]202 assertEquals(OAuthError.CodeResponse.INVALID_REQUEST,
203 node.at("/error").asText());
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]204 assertEquals("Invalid redirect URI",
205 node.at("/error_description").asText());
206 assertEquals("thisIsMyState", node.at("/state").asText());
207
208 // without redirect URI in the request and no registered
209 // redirect URI
210 response = requestAuthorizationCode("string", publicClientId2, "", "",
211 state, userAuthHeader);
212 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
213
214 node = JsonUtils.readTree(response.getEntity(String.class));
215 assertEquals(OAuthError.CodeResponse.INVALID_REQUEST,
216 node.at("/error").asText());
217 assertEquals("Redirect URI is required",
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]218 node.at("/error_description").asText());
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]219 assertEquals("thisIsMyState", node.at("/state").asText());
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]220 }
221
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]222 @Test
223 public void testAuthorizeInvalidScope () throws KustvaktException {
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]224 String scope = "read_address";
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]225 ClientResponse response = requestAuthorizationCode("code",
226 confidentialClientId, "", scope, state, userAuthHeader);
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]227 assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
228 response.getStatus());
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]229
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]230 assertEquals(
231 "https://third.party.com/confidential/redirect?"
232 + "error_description=read_address+is+an+invalid+scope&"
233 + "state=thisIsMyState&error=invalid_scope",
234 response.getLocation().toString());
235 }
236
237 @Test
238 public void testAuthorizeUnsupportedTokenResponseType ()
239 throws KustvaktException {
240 ClientResponse response = requestAuthorizationCode("token",
241 confidentialClientId, "", "", state, userAuthHeader);
242 assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
243 response.getStatus());
244
245 assertEquals("https://third.party.com/confidential/redirect?"
246 + "error_description=response_type+token+is+not+"
247 + "supported&state=thisIsMyState&error=unsupported_"
248 + "response_type", response.getLocation().toString());
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]249 }
250
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]251 @Test
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]252 public void testRequestTokenAuthorizationPublic ()
253 throws KustvaktException {
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]254 String code =
255 requestAuthorizationCode(publicClientId, userAuthHeader);
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]256
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]257 ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
258 publicClientId, clientSecret, code);
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]259 String entity = response.getEntity(String.class);
260 JsonNode node = JsonUtils.readTree(entity);
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]261
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]262 String accessToken = node.at("/access_token").asText();
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]263
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]264 assertEquals(TokenType.BEARER.toString(),
265 node.at("/token_type").asText());
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]266 assertEquals(31536000, node.at("/expires_in").asInt());
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]267
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]268 testRevokeToken(accessToken, publicClientId, null, ACCESS_TOKEN_TYPE);
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]269
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]270 assertTrue(node.at("/refresh_token").isMissingNode());
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]271 }
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]272
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]273 @Test
margarethaa452c5e2018-04-25 22:48:09 +0200[diff] [blame]274 public void testRequestTokenAuthorizationConfidential ()
275 throws KustvaktException {
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]276
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]277 String scope = "search";
278 ClientResponse response = requestAuthorizationCode("code",
279 confidentialClientId, "", scope, state, userAuthHeader);
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]280 MultivaluedMap<String, String> params =
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]281 getQueryParamsFromURI(response.getLocation());
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]282 String code = params.get("code").get(0);
283 String scopes = params.get("scope").get(0);
284
margaretha20f31232018-07-09 17:49:39 +0200[diff] [blame]285 assertEquals(scopes, "search");
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]286
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]287 response = requestTokenWithAuthorizationCodeAndForm(
288 confidentialClientId, clientSecret, code);
margarethaa452c5e2018-04-25 22:48:09 +0200[diff] [blame]289 String entity = response.getEntity(String.class);
290 JsonNode node = JsonUtils.readTree(entity);
291 assertNotNull(node.at("/access_token").asText());
292 assertNotNull(node.at("/refresh_token").asText());
293 assertEquals(TokenType.BEARER.toString(),
294 node.at("/token_type").asText());
295 assertNotNull(node.at("/expires_in").asText());
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]296
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]297 testRequestTokenWithUsedAuthorization(code);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]298
margaretha6f0b7382018-11-21 17:42:02 +0100[diff] [blame]299 String refreshToken = node.at("/refresh_token").asText();
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]300
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]301 testRequestRefreshTokenInvalidScope(confidentialClientId, refreshToken);
302 testRequestRefreshTokenInvalidClient(refreshToken);
303 testRequestRefreshTokenInvalidRefreshToken(confidentialClientId);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]304
305 testRequestRefreshToken(confidentialClientId, clientSecret, refreshToken);
margarethaa452c5e2018-04-25 22:48:09 +0200[diff] [blame]306 }
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]307
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]308 private void testRequestTokenWithUsedAuthorization (String code)
309 throws KustvaktException {
310 ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
311 confidentialClientId, clientSecret, code);
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]312 String entity = response.getEntity(String.class);
313
314 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
315
316 JsonNode node = JsonUtils.readTree(entity);
317 assertEquals(OAuthError.TokenResponse.INVALID_GRANT,
318 node.at("/error").asText());
319 assertEquals("Invalid authorization",
320 node.at("/error_description").asText());
321 }
322
323 @Test
324 public void testRequestTokenInvalidAuthorizationCode ()
325 throws KustvaktException {
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]326 ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
327 confidentialClientId, clientSecret, "blahblah");
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]328 String entity = response.getEntity(String.class);
329
330 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
331
332 JsonNode node = JsonUtils.readTree(entity);
333 assertEquals(OAuthError.TokenResponse.INVALID_REQUEST,
334 node.at("/error").asText());
335 }
336
337 @Test
338 public void testRequestTokenAuthorizationReplyAttack ()
339 throws KustvaktException {
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]340 String redirect_uri = "https://third.party.com/confidential/redirect";
341 String scope = "search";
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]342
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]343 ClientResponse response =
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]344 requestAuthorizationCode("code", confidentialClientId,
345 redirect_uri, scope, state, userAuthHeader);
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]346 MultivaluedMap<String, String> params =
margarethaffb89502022-04-20 12:03:16 +0200[diff] [blame^]347 getQueryParamsFromURI(response.getLocation());
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]348 String code = params.get("code").get(0);
349
350 testRequestTokenAuthorizationInvalidClient(code);
351 testRequestTokenAuthorizationInvalidRedirectUri(code);
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]352 testRequestTokenAuthorizationRevoked(code, redirect_uri);
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]353 }
354
355 private void testRequestTokenAuthorizationInvalidClient (String code)
356 throws KustvaktException {
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]357 ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
358 confidentialClientId, "wrong_secret", code);
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]359 String entity = response.getEntity(String.class);
360 JsonNode node = JsonUtils.readTree(entity);
361 assertEquals(OAuth2Error.INVALID_CLIENT, node.at("/error").asText());
362 }
363
364 private void testRequestTokenAuthorizationInvalidRedirectUri (String code)
365 throws KustvaktException {
366 MultivaluedMap<String, String> tokenForm = new MultivaluedMapImpl();
367 tokenForm.add("grant_type", "authorization_code");
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]368 tokenForm.add("client_id", confidentialClientId);
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]369 tokenForm.add("client_secret", "secret");
370 tokenForm.add("code", code);
371 tokenForm.add("redirect_uri", "https://blahblah.com");
372
373 ClientResponse response = requestToken(tokenForm);
374 String entity = response.getEntity(String.class);
375 JsonNode node = JsonUtils.readTree(entity);
376 assertEquals(OAuth2Error.INVALID_GRANT, node.at("/error").asText());
377 }
378
379 private void testRequestTokenAuthorizationRevoked (String code, String uri)
380 throws KustvaktException {
381 MultivaluedMap<String, String> tokenForm = new MultivaluedMapImpl();
382 tokenForm.add("grant_type", "authorization_code");
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]383 tokenForm.add("client_id", confidentialClientId);
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]384 tokenForm.add("client_secret", "secret");
385 tokenForm.add("code", code);
386 tokenForm.add("redirect_uri", uri);
387
388 ClientResponse response = requestToken(tokenForm);
389 String entity = response.getEntity(String.class);
390 JsonNode node = JsonUtils.readTree(entity);
391 assertEquals(OAuthError.TokenResponse.INVALID_GRANT,
392 node.at("/error").asText());
393 assertEquals("Invalid authorization",
394 node.at("/error_description").asText());
395 }
396
margarethaa452c5e2018-04-25 22:48:09 +0200[diff] [blame]397 @Test
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]398 public void testRequestTokenPasswordGrantConfidentialSuper ()
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]399 throws KustvaktException {
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]400 ClientResponse response =
margaretha230effb2018-11-29 17:28:18 +0100[diff] [blame]401 requestTokenWithDoryPassword(superClientId, clientSecret);
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]402
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]403 assertEquals(Status.OK.getStatusCode(), response.getStatus());
404
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]405 String entity = response.getEntity(String.class);
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]406 JsonNode node = JsonUtils.readTree(entity);
407 assertNotNull(node.at("/access_token").asText());
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]408 assertEquals(TokenType.BEARER.toString(),
409 node.at("/token_type").asText());
410 assertNotNull(node.at("/expires_in").asText());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]411
margaretha93e602e2019-08-07 15:19:56 +0200[diff] [blame]412 RefreshToken refreshToken = refreshTokenDao
413 .retrieveRefreshToken(node.at("/refresh_token").asText());
414 Set<AccessScope> scopes = refreshToken.getScopes();
415 assertEquals(1, scopes.size());
416 assertEquals("[all]", scopes.toString());
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]417 }
418
419 @Test
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]420 public void testRequestTokenPasswordGrantConfidentialNonSuper ()
421 throws KustvaktException {
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]422 ClientResponse response = requestTokenWithDoryPassword(
423 confidentialClientId, clientSecret);
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]424 String entity = response.getEntity(String.class);
425 assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
426
427 JsonNode node = JsonUtils.readTree(entity);
428 assertEquals(OAuthError.TokenResponse.UNAUTHORIZED_CLIENT,
429 node.at("/error").asText());
430 assertEquals("Password grant is not allowed for third party clients",
431 node.at("/error_description").asText());
432 }
433
434 @Test
435 public void testRequestTokenPasswordGrantPublic ()
436 throws KustvaktException {
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]437 ClientResponse response =
438 requestTokenWithDoryPassword(publicClientId, "");
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]439 String entity = response.getEntity(String.class);
440
441 assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
442
443 JsonNode node = JsonUtils.readTree(entity);
444 assertEquals(OAuth2Error.UNAUTHORIZED_CLIENT,
445 node.at("/error").asText());
446 assertEquals("Password grant is not allowed for third party clients",
447 node.at("/error_description").asText());
448 }
449
450 @Test
margaretha00c28c02018-07-05 18:09:09 +0200[diff] [blame]451 public void testRequestTokenPasswordGrantAuthorizationHeader ()
452 throws KustvaktException {
453 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
454 form.add("grant_type", "password");
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]455 form.add("client_id", superClientId);
margaretha00c28c02018-07-05 18:09:09 +0200[diff] [blame]456 form.add("username", "dory");
457 form.add("password", "password");
458
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]459 ClientResponse response =
460 resource().path(API_VERSION).path("oauth2").path("token")
461 .header(HttpHeaders.AUTHORIZATION,
462 "Basic ZkNCYlFrQXlZekk0TnpVeE1nOnNlY3JldA==")
463 .header(HttpHeaders.CONTENT_TYPE,
464 ContentType.APPLICATION_FORM_URLENCODED)
465 .entity(form).post(ClientResponse.class);
margaretha00c28c02018-07-05 18:09:09 +0200[diff] [blame]466 String entity = response.getEntity(String.class);
margaretha00c28c02018-07-05 18:09:09 +0200[diff] [blame]467 JsonNode node = JsonUtils.readTree(entity);
468 assertNotNull(node.at("/access_token").asText());
469 assertNotNull(node.at("/refresh_token").asText());
470 assertEquals(TokenType.BEARER.toString(),
471 node.at("/token_type").asText());
472 assertNotNull(node.at("/expires_in").asText());
473 }
474
margaretha0a45be12018-07-12 15:06:30 +0200[diff] [blame]475 /**
476 * In case, client_id is specified both in Authorization header
477 * and request body, client_id in the request body is ignored.
478 *
479 * @throws KustvaktException
480 */
481 @Test
482 public void testRequestTokenPasswordGrantDifferentClientIds ()
483 throws KustvaktException {
484 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
485 form.add("grant_type", "password");
486 form.add("client_id", "9aHsGW6QflV13ixNpez");
487 form.add("username", "dory");
488 form.add("password", "password");
489
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]490 ClientResponse response =
491 resource().path(API_VERSION).path("oauth2").path("token")
492 .header(HttpHeaders.AUTHORIZATION,
493 "Basic ZkNCYlFrQXlZekk0TnpVeE1nOnNlY3JldA==")
494 .header(HttpHeaders.CONTENT_TYPE,
495 ContentType.APPLICATION_FORM_URLENCODED)
496 .entity(form).post(ClientResponse.class);
margaretha0a45be12018-07-12 15:06:30 +0200[diff] [blame]497 String entity = response.getEntity(String.class);
498 JsonNode node = JsonUtils.readTree(entity);
499 assertNotNull(node.at("/access_token").asText());
500 assertNotNull(node.at("/refresh_token").asText());
501 assertEquals(TokenType.BEARER.toString(),
502 node.at("/token_type").asText());
503 assertNotNull(node.at("/expires_in").asText());
504 }
505
margaretha00c28c02018-07-05 18:09:09 +0200[diff] [blame]506 @Test
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]507 public void testRequestTokenPasswordGrantMissingClientSecret ()
508 throws KustvaktException {
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]509 ClientResponse response =
margaretha230effb2018-11-29 17:28:18 +0100[diff] [blame]510 requestTokenWithDoryPassword(confidentialClientId, "");
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]511 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]512
513 String entity = response.getEntity(String.class);
514 JsonNode node = JsonUtils.readTree(entity);
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]515 assertEquals(OAuthError.TokenResponse.INVALID_REQUEST,
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]516 node.at("/error").asText());
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]517 assertEquals("Missing parameters: client_secret",
518 node.at("/error_description").asText());
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]519 }
520
521 @Test
522 public void testRequestTokenPasswordGrantMissingClientId ()
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]523 throws KustvaktException {
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]524 ClientResponse response =
525 requestTokenWithDoryPassword(null, clientSecret);
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]526 String entity = response.getEntity(String.class);
527 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
528
529 JsonNode node = JsonUtils.readTree(entity);
530 assertEquals(OAuthError.TokenResponse.INVALID_REQUEST,
531 node.at("/error").asText());
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]532 assertEquals("Missing parameters: client_id",
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]533 node.at("/error_description").asText());
534 }
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]535
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]536 @Test
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]537 public void testRequestTokenClientCredentialsGrant ()
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]538 throws KustvaktException {
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]539
540 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
541 form.add("grant_type", "client_credentials");
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]542 form.add("client_id", confidentialClientId);
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]543 form.add("client_secret", "secret");
544 ClientResponse response = requestToken(form);
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]545 String entity = response.getEntity(String.class);
546 assertEquals(Status.OK.getStatusCode(), response.getStatus());
547
548 JsonNode node = JsonUtils.readTree(entity);
549 // length?
550 assertNotNull(node.at("/access_token").asText());
551 assertNotNull(node.at("/refresh_token").asText());
552 assertEquals(TokenType.BEARER.toString(),
553 node.at("/token_type").asText());
554 assertNotNull(node.at("/expires_in").asText());
555 }
556
margarethadc515072018-08-03 17:01:19 +0200[diff] [blame]557 /**
558 * Client credentials grant is only allowed for confidential
559 * clients.
560 */
561 @Test
562 public void testRequestTokenClientCredentialsGrantPublic ()
563 throws KustvaktException {
564
565 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
566 form.add("grant_type", "client_credentials");
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]567 form.add("client_id", publicClientId);
margarethadc515072018-08-03 17:01:19 +0200[diff] [blame]568 form.add("client_secret", "");
569 ClientResponse response = requestToken(form);
570
571 String entity = response.getEntity(String.class);
572 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
573 JsonNode node = JsonUtils.readTree(entity);
574 assertEquals(OAuthError.TokenResponse.INVALID_REQUEST,
575 node.at("/error").asText());
576 assertEquals("Missing parameters: client_secret",
577 node.at("/error_description").asText());
578 }
579
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]580 @Test
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]581 public void testRequestTokenClientCredentialsGrantReducedScope ()
582 throws KustvaktException {
583
584 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
585 form.add("grant_type", "client_credentials");
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]586 form.add("client_id", confidentialClientId);
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]587 form.add("client_secret", "secret");
margaretha9c78e1a2018-06-27 14:12:35 +0200[diff] [blame]588 form.add("scope", "preferred_username client_info");
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]589
590 ClientResponse response = requestToken(form);
591 String entity = response.getEntity(String.class);
592 assertEquals(Status.OK.getStatusCode(), response.getStatus());
593
594 JsonNode node = JsonUtils.readTree(entity);
595 // length?
596 assertNotNull(node.at("/access_token").asText());
597 assertNotNull(node.at("/refresh_token").asText());
598 assertEquals(TokenType.BEARER.toString(),
599 node.at("/token_type").asText());
600 assertNotNull(node.at("/expires_in").asText());
margaretha9c78e1a2018-06-27 14:12:35 +0200[diff] [blame]601 assertEquals("client_info", node.at("/scope").asText());
margarethabe4c5c92018-05-03 18:55:49 +0200[diff] [blame]602 }
603
604 @Test
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]605 public void testRequestTokenMissingGrantType () throws KustvaktException {
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]606 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]607 ClientResponse response = requestToken(form);
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]608 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
609
610 String entity = response.getEntity(String.class);
611 JsonNode node = JsonUtils.readTree(entity);
612 assertEquals(OAuthError.TokenResponse.INVALID_REQUEST,
613 node.at("/error").asText());
614 }
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]615
616 @Test
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]617 public void testRequestTokenUnsupportedGrant () throws KustvaktException {
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]618
619 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]620 form.add("grant_type", "blahblah");
621
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]622 ClientResponse response =
623 resource().path(API_VERSION).path("oauth2").path("token")
624 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
625 .header(HttpHeaders.CONTENT_TYPE,
626 ContentType.APPLICATION_FORM_URLENCODED)
627 .entity(form).post(ClientResponse.class);
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]628
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]629 String entity = response.getEntity(String.class);
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]630 assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
631
632 JsonNode node = JsonUtils.readTree(entity);
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]633 assertEquals("Invalid grant_type parameter value",
margaretha05122312018-04-16 15:01:34 +0200[diff] [blame]634 node.get("error_description").asText());
margarethaf839dde2018-04-16 17:52:57 +0200[diff] [blame]635 assertEquals(OAuthError.TokenResponse.INVALID_REQUEST,
636 node.get("error").asText());
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]637 }
638
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]639 private void testRequestRefreshTokenInvalidScope (String clientId,
640 String refreshToken) throws KustvaktException {
641 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
642 form.add("grant_type", GrantType.REFRESH_TOKEN.toString());
643 form.add("client_id", clientId);
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]644 form.add("client_secret", clientSecret);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]645 form.add("refresh_token", refreshToken);
646 form.add("scope", "search serialize_query");
647
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]648 ClientResponse response =
649 resource().path(API_VERSION).path("oauth2").path("token")
650 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
651 .header(HttpHeaders.CONTENT_TYPE,
652 ContentType.APPLICATION_FORM_URLENCODED)
653 .entity(form).post(ClientResponse.class);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]654
655 String entity = response.getEntity(String.class);
656 JsonNode node = JsonUtils.readTree(entity);
657 assertEquals(OAuth2Error.INVALID_SCOPE, node.at("/error").asText());
658 }
659
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]660 private void testRequestRefreshToken (String clientId, String clientSecret,
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]661 String refreshToken) throws KustvaktException {
662 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
663 form.add("grant_type", GrantType.REFRESH_TOKEN.toString());
664 form.add("client_id", clientId);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]665 form.add("client_secret", clientSecret);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]666 form.add("refresh_token", refreshToken);
667
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]668 ClientResponse response =
669 resource().path(API_VERSION).path("oauth2").path("token")
670 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
671 .header(HttpHeaders.CONTENT_TYPE,
672 ContentType.APPLICATION_FORM_URLENCODED)
673 .entity(form).post(ClientResponse.class);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]674
675 String entity = response.getEntity(String.class);
676 assertEquals(Status.OK.getStatusCode(), response.getStatus());
677
678 JsonNode node = JsonUtils.readTree(entity);
679 assertNotNull(node.at("/access_token").asText());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]680
681 String newRefreshToken = node.at("/refresh_token").asText();
682 assertNotNull(newRefreshToken);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]683 assertEquals(TokenType.BEARER.toString(),
684 node.at("/token_type").asText());
685 assertNotNull(node.at("/expires_in").asText());
margaretha6f0b7382018-11-21 17:42:02 +0100[diff] [blame]686
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]687 assertTrue(!newRefreshToken.equals(refreshToken));
margaretha93e602e2019-08-07 15:19:56 +0200[diff] [blame]688
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]689 testRequestTokenWithRevokedRefreshToken(clientId, clientSecret,
690 refreshToken);
691
692 testRevokeToken(newRefreshToken, clientId, clientSecret,
693 REFRESH_TOKEN_TYPE);
694 testRequestTokenWithRevokedRefreshToken(clientId, clientSecret,
695 newRefreshToken);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]696 }
697
698 private void testRequestRefreshTokenInvalidClient (String refreshToken)
699 throws KustvaktException {
700 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
701 form.add("grant_type", GrantType.REFRESH_TOKEN.toString());
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]702 form.add("client_id", "iBr3LsTCxOj7D2o0A5m");
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]703 form.add("refresh_token", refreshToken);
704
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]705 ClientResponse response =
706 resource().path(API_VERSION).path("oauth2").path("token")
707 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
708 .header(HttpHeaders.CONTENT_TYPE,
709 ContentType.APPLICATION_FORM_URLENCODED)
710 .entity(form).post(ClientResponse.class);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]711
712 String entity = response.getEntity(String.class);
713 JsonNode node = JsonUtils.readTree(entity);
714 assertEquals(OAuth2Error.INVALID_CLIENT, node.at("/error").asText());
715 }
716
717 private void testRequestRefreshTokenInvalidRefreshToken (String clientId)
718 throws KustvaktException {
719 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
720 form.add("grant_type", GrantType.REFRESH_TOKEN.toString());
721 form.add("client_id", clientId);
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]722 form.add("client_secret", clientSecret);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]723 form.add("refresh_token", "Lia8s8w8tJeZSBlaQDrYV8ion3l");
724
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]725 ClientResponse response =
726 resource().path(API_VERSION).path("oauth2").path("token")
727 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
728 .header(HttpHeaders.CONTENT_TYPE,
729 ContentType.APPLICATION_FORM_URLENCODED)
730 .entity(form).post(ClientResponse.class);
margaretha03b82862018-07-12 20:09:26 +0200[diff] [blame]731
732 String entity = response.getEntity(String.class);
733 JsonNode node = JsonUtils.readTree(entity);
734 assertEquals(OAuth2Error.INVALID_GRANT, node.at("/error").asText());
735 }
736
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]737 private JsonNode requestTokenList (String userAuthHeader, String tokenType,
738 String clientId) throws KustvaktException {
739 MultivaluedMap<String, String> form = new MultivaluedMapImpl();
740 form.add("super_client_id", superClientId);
741 form.add("super_client_secret", clientSecret);
742 form.add("token_type", tokenType);
743
744 if (clientId != null && !clientId.isEmpty()){
745 form.add("client_id", clientId);
746 }
747
748 ClientResponse response = resource().path(API_VERSION).path("oauth2")
749 .path("token").path("list")
750 .header(Attributes.AUTHORIZATION, userAuthHeader)
margarethadc515072018-08-03 17:01:19 +0200[diff] [blame]751 .header(HttpHeaders.CONTENT_TYPE,
752 ContentType.APPLICATION_FORM_URLENCODED)
753 .entity(form).post(ClientResponse.class);
margarethaf0085122018-08-16 16:19:53 +0200[diff] [blame]754
margarethadc515072018-08-03 17:01:19 +0200[diff] [blame]755 assertEquals(Status.OK.getStatusCode(), response.getStatus());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]756
757 String entity = response.getEntity(String.class);
758 return JsonUtils.readTree(entity);
759 }
760
761 private JsonNode requestTokenList (String userAuthHeader, String tokenType)
762 throws KustvaktException {
763 return requestTokenList(userAuthHeader, tokenType, null);
margaretha7497adf2019-11-26 13:13:57 +0100[diff] [blame]764 }
765
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]766 @Test
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]767 public void testListRefreshTokenConfidentialClient () throws KustvaktException {
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]768 String username = "gurgle";
769 String password = "pwd";
770 userAuthHeader = HttpAuthorizationHandler
771 .createBasicAuthorizationHeaderValue(username, password);
772
773 // super client
774 ClientResponse response = requestTokenWithPassword(superClientId,
775 clientSecret, username, password);
776 assertEquals(Status.OK.getStatusCode(), response.getStatus());
777 JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
778 String refreshToken1 = node.at("/refresh_token").asText();
779
780 // client 1
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]781 String code =
782 requestAuthorizationCode(confidentialClientId, userAuthHeader);
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]783 response = requestTokenWithAuthorizationCodeAndForm(
784 confidentialClientId, clientSecret, code);
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]785 assertEquals(Status.OK.getStatusCode(), response.getStatus());
786
787 // client 2
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]788 code = requestAuthorizationCode(confidentialClientId2,
789 clientRedirectUri, userAuthHeader);
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]790 response = requestTokenWithAuthorizationCodeAndForm(
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]791 confidentialClientId2, clientSecret, code, clientRedirectUri);
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]792 assertEquals(Status.OK.getStatusCode(), response.getStatus());
793
794 // list
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]795 node = requestTokenList(userAuthHeader, REFRESH_TOKEN_TYPE);
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]796 assertEquals(2, node.size());
margaretha4f4b9ab2021-04-30 17:33:21 +0200[diff] [blame]797 assertEquals(confidentialClientId, node.at("/0/client_id").asText());
798 assertEquals(confidentialClientId2, node.at("/1/client_id").asText());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]799
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]800 // client 1
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]801 code = requestAuthorizationCode(confidentialClientId, userAuthHeader);
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]802 response = requestTokenWithAuthorizationCodeAndForm(
803 confidentialClientId, clientSecret, code);
804 assertEquals(Status.OK.getStatusCode(), response.getStatus());
805
margaretha7497adf2019-11-26 13:13:57 +0100[diff] [blame]806 // another user
807 String darlaAuthHeader = HttpAuthorizationHandler
808 .createBasicAuthorizationHeaderValue("darla", "pwd");
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]809
810 // test listing clients
811 node = requestTokenList(darlaAuthHeader, REFRESH_TOKEN_TYPE);
812 assertEquals(0, node.size());
813
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]814 // client 1
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]815 code = requestAuthorizationCode(confidentialClientId, darlaAuthHeader);
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]816 assertEquals(Status.OK.getStatusCode(), response.getStatus());
817 response = requestTokenWithAuthorizationCodeAndForm(
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]818 confidentialClientId, clientSecret, code);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]819
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]820 node = JsonUtils.readTree(response.getEntity(String.class));
821 String refreshToken5 = node.at("/refresh_token").asText();
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]822
823 // list all refresh tokens
824 node = requestTokenList(userAuthHeader, REFRESH_TOKEN_TYPE);
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]825 assertEquals(3, node.size());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]826
827 // list refresh tokens from client 1
828 node = requestTokenList(userAuthHeader, REFRESH_TOKEN_TYPE, confidentialClientId);
829 assertEquals(2, node.size());
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]830
831 testRevokeToken(refreshToken1, superClientId, clientSecret,
832 REFRESH_TOKEN_TYPE);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]833 testRevokeToken(node.at("/0/token").asText(), confidentialClientId,
margaretha0afd44a2020-02-05 10:49:21 +0100[diff] [blame]834 clientSecret, REFRESH_TOKEN_TYPE);
835 testRevokeToken(node.at("/1/token").asText(), confidentialClientId2,
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]836 clientSecret, REFRESH_TOKEN_TYPE);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]837
838 node = requestTokenList(userAuthHeader, REFRESH_TOKEN_TYPE);
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]839 assertEquals(1, node.size());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]840
841 testRevokeTokenViaSuperClient(node.at("/0/token").asText(),
842 userAuthHeader);
843 node = requestTokenList(userAuthHeader, REFRESH_TOKEN_TYPE);
margaretha7497adf2019-11-26 13:13:57 +0100[diff] [blame]844 assertEquals(0, node.size());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]845
margaretha7497adf2019-11-26 13:13:57 +0100[diff] [blame]846 // try revoking a token belonging to another user
847 // should not return any errors
848 testRevokeTokenViaSuperClient(refreshToken5, userAuthHeader);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]849 node = requestTokenList(darlaAuthHeader, REFRESH_TOKEN_TYPE);
margaretha7497adf2019-11-26 13:13:57 +0100[diff] [blame]850 assertEquals(1, node.size());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]851
margaretha7497adf2019-11-26 13:13:57 +0100[diff] [blame]852 testRevokeTokenViaSuperClient(refreshToken5, darlaAuthHeader);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]853 node = requestTokenList(darlaAuthHeader, REFRESH_TOKEN_TYPE);
margaretha7497adf2019-11-26 13:13:57 +0100[diff] [blame]854 assertEquals(0, node.size());
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]855 }
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]856
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]857
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]858 @Test
859 public void testListTokenPublicClient () throws KustvaktException {
860 String username = "nemo";
861 String password = "pwd";
862 userAuthHeader = HttpAuthorizationHandler
863 .createBasicAuthorizationHeaderValue(username, password);
864
865 // access token 1
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]866 String code = requestAuthorizationCode(publicClientId, userAuthHeader);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]867 ClientResponse response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
868 code);
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]869 assertEquals(Status.OK.getStatusCode(), response.getStatus());
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]870 JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
871 String accessToken1 = node.at("/access_token").asText();
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]872
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]873 // access token 2
margarethad67b4272022-04-11 17:34:19 +0200[diff] [blame]874 code = requestAuthorizationCode(publicClientId, userAuthHeader);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]875 response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
876 code);
877 assertEquals(Status.OK.getStatusCode(), response.getStatus());
878 node = JsonUtils.readTree(response.getEntity(String.class));
879 String accessToken2 = node.at("/access_token").asText();
880
881 // list access tokens
882 node = requestTokenList(userAuthHeader, ACCESS_TOKEN_TYPE);
883 assertEquals(2, node.size());
884
885 // list refresh tokens
886 node = requestTokenList(userAuthHeader, REFRESH_TOKEN_TYPE);
887 assertEquals(0, node.size());
888
889 testRevokeTokenViaSuperClient(accessToken1, userAuthHeader);
890 node = requestTokenList(userAuthHeader, ACCESS_TOKEN_TYPE);
margarethab250ddc2021-06-07 12:07:17 +0200[diff] [blame]891// System.out.println(node);
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]892 assertEquals(1, node.size());
margaretha4f4b9ab2021-04-30 17:33:21 +0200[diff] [blame]893 assertEquals(accessToken2, node.at("/0/token").asText());
894 assertTrue(node.at("/0/scope").size()>0);
895 assertNotNull(node.at("/0/created_date").asText());
896 assertNotNull(node.at("/0/expires_in").asLong());
897 assertNotNull(node.at("/0/user_authentication_time").asText());
898
899 assertEquals(publicClientId, node.at("/0/client_id").asText());
900 assertNotNull(node.at("/0/client_name").asText());
901 assertNotNull(node.at("/0/client_description").asText());
902 assertNotNull(node.at("/0/client_url").asText());
903
margaretha35074692021-03-26 18:11:59 +0100[diff] [blame]904
905 testRevokeTokenViaSuperClient(accessToken2, userAuthHeader);
906 node = requestTokenList(userAuthHeader, ACCESS_TOKEN_TYPE);
907 assertEquals(0, node.size());
margaretha43aceb52019-11-21 12:58:53 +0100[diff] [blame]908 }
margarethaa0486272018-04-12 19:59:31 +0200[diff] [blame]909}