This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.2.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit f8bcf234f12a924b443a4a0861bd57b14cb4b55e Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Thu Jul 26 10:20:19 2018 +0100 Adding unit tests for JCache + JWT OAuth 2.0 data provider (cherry picked from commit c1fb9e95a92df3c828be8c467558503bfc40da80) --- .../provider/AbstractOAuthDataProviderTest.java | 62 +++++++++++++++++++++- .../provider/JCacheJWTOAuthDataProviderTest.java | 33 ++++++++++++ 2 files changed, 94 insertions(+), 1 deletion(-) diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProviderTest.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProviderTest.java index ee002c1..b7d4bdc 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProviderTest.java +++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProviderTest.java @@ -18,10 +18,20 @@ */ package org.apache.cxf.rs.security.oauth2.provider; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Collections; import java.util.List; +import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; +import org.apache.cxf.rs.security.jose.jws.JwsHeaders; +import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; +import org.apache.cxf.rs.security.jose.jws.PrivateKeyJwsSignatureProvider; +import org.apache.cxf.rs.security.jose.jwt.JwtConstants; +import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; @@ -35,11 +45,34 @@ import org.junit.Assert; import org.junit.Test; abstract class AbstractOAuthDataProviderTest extends Assert { + private static KeyPair keyPair; private AbstractOAuthDataProvider provider; - protected void initializeProvider(AbstractOAuthDataProvider dataProvider) { + static { + try { + keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair(); + } catch (NoSuchAlgorithmException e) { + e.printStackTrace(); + } + } + + protected static void initializeProvider(AbstractOAuthDataProvider dataProvider) { dataProvider.setSupportedScopes(Collections.singletonMap("a", "A Scope")); dataProvider.setSupportedScopes(Collections.singletonMap("refreshToken", "RefreshToken")); + + // Configure the means of signing the issued JWT tokens + if (dataProvider.isUseJwtFormatForAccessTokens()) { + final JwsSignatureProvider signatureProvider = + new PrivateKeyJwsSignatureProvider(keyPair.getPrivate(), SignatureAlgorithm.RS256); + + OAuthJoseJwtProducer jwtAccessTokenProducer = new OAuthJoseJwtProducer() { + @Override + protected JwsSignatureProvider getInitializedSignatureProvider(JwsHeaders jwsHeaders) { + return signatureProvider; + } + }; + dataProvider.setJwtAccessTokenProducer(jwtAccessTokenProducer); + } } protected AbstractOAuthDataProvider getProvider() { @@ -107,7 +140,9 @@ abstract class AbstractOAuthDataProviderTest extends Assert { atr.setSubject(c.getResourceOwnerSubject()); ServerAccessToken at = getProvider().createAccessToken(atr); + validateAccessToken(at); ServerAccessToken at2 = getProvider().getAccessToken(at.getTokenKey()); + validateAccessToken(at2); assertEquals(at.getTokenKey(), at2.getTokenKey()); List<OAuthPermission> scopes = at2.getScopes(); assertNotNull(scopes); @@ -119,21 +154,25 @@ abstract class AbstractOAuthDataProviderTest extends Assert { assertNotNull(tokens); assertEquals(1, tokens.size()); assertEquals(at.getTokenKey(), tokens.get(0).getTokenKey()); + validateAccessToken(tokens.get(0)); tokens = getProvider().getAccessTokens(c, null); assertNotNull(tokens); assertEquals(1, tokens.size()); assertEquals(at.getTokenKey(), tokens.get(0).getTokenKey()); + validateAccessToken(tokens.get(0)); tokens = getProvider().getAccessTokens(null, c.getResourceOwnerSubject()); assertNotNull(tokens); assertEquals(1, tokens.size()); assertEquals(at.getTokenKey(), tokens.get(0).getTokenKey()); + validateAccessToken(tokens.get(0)); tokens = getProvider().getAccessTokens(null, null); assertNotNull(tokens); assertEquals(1, tokens.size()); assertEquals(at.getTokenKey(), tokens.get(0).getTokenKey()); + validateAccessToken(tokens.get(0)); getProvider().revokeToken(c, at.getTokenKey(), OAuthConstants.ACCESS_TOKEN); assertNull(getProvider().getAccessToken(at.getTokenKey())); @@ -152,6 +191,7 @@ abstract class AbstractOAuthDataProviderTest extends Assert { List<ServerAccessToken> tokens = getProvider().getAccessTokens(c, null); assertNotNull(tokens); assertEquals(1, tokens.size()); + validateAccessToken(tokens.get(0)); getProvider().removeClient(c.getClientId()); @@ -173,6 +213,7 @@ abstract class AbstractOAuthDataProviderTest extends Assert { List<ServerAccessToken> tokens = getProvider().getAccessTokens(c, null); assertNotNull(tokens); assertEquals(1, tokens.size()); + validateAccessToken(tokens.get(0)); getProvider().removeClient(c.getClientId()); @@ -194,14 +235,18 @@ abstract class AbstractOAuthDataProviderTest extends Assert { atr.setApprovedScope(Collections.singletonList("a")); atr.setSubject(c.getResourceOwnerSubject()); ServerAccessToken at = getProvider().createAccessToken(atr); + validateAccessToken(at); at = getProvider().getAccessToken(at.getTokenKey()); + validateAccessToken(at); AccessTokenRegistration atr2 = new AccessTokenRegistration(); atr2.setClient(c); atr2.setApprovedScope(Collections.singletonList("a")); atr2.setSubject(new TestingUserSubject(c.getResourceOwnerSubject().getLogin())); ServerAccessToken at2 = getProvider().createAccessToken(atr2); + validateAccessToken(at2); at2 = getProvider().getAccessToken(at2.getTokenKey()); + validateAccessToken(at2); assertNotNull(at.getSubject().getId()); assertTrue(at.getSubject() instanceof UserSubject); @@ -221,7 +266,9 @@ abstract class AbstractOAuthDataProviderTest extends Assert { atr.setSubject(c.getResourceOwnerSubject()); ServerAccessToken at = getProvider().createAccessToken(atr); + validateAccessToken(at); ServerAccessToken at2 = getProvider().getAccessToken(at.getTokenKey()); + validateAccessToken(at2); assertEquals(at.getTokenKey(), at2.getTokenKey()); List<OAuthPermission> scopes = at2.getScopes(); assertNotNull(scopes); @@ -306,4 +353,17 @@ abstract class AbstractOAuthDataProviderTest extends Assert { } } + private void validateAccessToken(ServerAccessToken accessToken) { + if (getProvider().isUseJwtFormatForAccessTokens()) { + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(accessToken.getTokenKey()); + JwtToken jwt = jwtConsumer.getJwtToken(); + + // Validate claims + Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY)); + Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT)); + + Assert.assertTrue(jwtConsumer.verifySignatureWith(keyPair.getPublic(), SignatureAlgorithm.RS256)); + } + } + } diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JCacheJWTOAuthDataProviderTest.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JCacheJWTOAuthDataProviderTest.java new file mode 100644 index 0000000..53b7741 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JCacheJWTOAuthDataProviderTest.java @@ -0,0 +1,33 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.provider; + +import org.junit.Before; + +public class JCacheJWTOAuthDataProviderTest extends AbstractOAuthDataProviderTest { + + @Before + public void setUp() throws Exception { + JCacheOAuthDataProvider provider = new JCacheOAuthDataProvider(); + provider.setUseJwtFormatForAccessTokens(true); + initializeProvider(provider); + setProvider(provider); + } + +}