This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 258584a4ef8a744d088f978ed9c68e3efcf98f40
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Thu Aug 15 14:25:18 2019 +0100

    Adding OAuth PKCE Digest tests
    
    (cherry picked from commit 563b1ec1f5b2186003843d5e686cc764efa00bb3)
---
 .../security/oauth2/common/OAuth2TestUtils.java    |   2 +-
 .../security/oauth2/grants/PublicClientTest.java   | 123 +++++++++++++++++++++
 .../oauth2/grants/grants-server-public.xml         |  33 ++++++
 3 files changed, 157 insertions(+), 1 deletion(-)

diff --git 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java
 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java
index 328211e..a6ddb2c 100644
--- 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java
+++ 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java
@@ -156,7 +156,7 @@ public final class OAuth2TestUtils {
                                                                         String 
code,
                                                                         String 
consumerId,
                                                                         String 
audience) {
-        return getAccessTokenWithAuthorizationCode(client, code, 
"consumer-id", audience, null);
+        return getAccessTokenWithAuthorizationCode(client, code, consumerId, 
audience, null);
     }
 
     public static ClientAccessToken 
getAccessTokenWithAuthorizationCode(WebClient client,
diff --git 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
index 150719b..606aee0 100644
--- 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
+++ 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
@@ -27,6 +27,8 @@ import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer;
+import org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 import org.apache.cxf.systest.jaxrs.security.SecurityTestUtil;
 import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils;
@@ -196,12 +198,133 @@ public class PublicClientTest extends 
AbstractBusClientServerTestBase {
         try {
             codeVerifier = 
Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
             OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, 
"consumer-id", null, codeVerifier);
+            fail("Failure expected on a different verifier");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+
+    @org.junit.Test
+    public void testPKCEDigest() throws Exception {
+        URL busFile = PublicClientTest.class.getResource("publicclient.xml");
+
+        String address = "https://localhost:"; + JCACHE_PORT + "/services/";
+        WebClient client = WebClient.create(address, 
OAuth2TestUtils.setupProviders(),
+                                            "alice", "security", 
busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        // Get Authorization Code
+        AuthorizationCodeParameters parameters = new 
AuthorizationCodeParameters();
+        parameters.setConsumerId("consumer-id");
+        String codeVerifier = 
Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
+        CodeVerifierTransformer transformer = new DigestCodeVerifier();
+        String codeChallenge = transformer.transformCodeVerifier(codeVerifier);
+        parameters.setCodeChallenge(codeChallenge);
+        parameters.setCodeChallengeMethod(transformer.getChallengeMethod());
+        parameters.setResponseType("code");
+        parameters.setPath("authorize/");
+
+        String location = OAuth2TestUtils.getLocation(client, parameters);
+        String code = OAuth2TestUtils.getSubstring(location, "code");
+        assertNotNull(code);
+
+        // Now get the access token - note services3 doesn't require basic auth
+        String address2 = "https://localhost:"; + JCACHE_PORT + "/services3/";
+        client = WebClient.create(address2, OAuth2TestUtils.setupProviders(), 
busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        ClientAccessToken accessToken =
+            OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, 
"consumer-id", null, codeVerifier);
+        assertNotNull(accessToken.getTokenKey());
+    }
+
+    @org.junit.Test
+    public void testPKCEDigestMissingVerifier() throws Exception {
+        URL busFile = PublicClientTest.class.getResource("publicclient.xml");
+
+        String address = "https://localhost:"; + JCACHE_PORT + "/services/";
+        WebClient client = WebClient.create(address, 
OAuth2TestUtils.setupProviders(),
+                                            "alice", "security", 
busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        // Get Authorization Code
+        AuthorizationCodeParameters parameters = new 
AuthorizationCodeParameters();
+        parameters.setConsumerId("consumer-id");
+        String codeVerifier = 
Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
+        CodeVerifierTransformer transformer = new DigestCodeVerifier();
+        String codeChallenge = transformer.transformCodeVerifier(codeVerifier);
+        parameters.setCodeChallenge(codeChallenge);
+        parameters.setCodeChallengeMethod(transformer.getChallengeMethod());
+        parameters.setResponseType("code");
+        parameters.setPath("authorize/");
+
+        String location = OAuth2TestUtils.getLocation(client, parameters);
+        String code = OAuth2TestUtils.getSubstring(location, "code");
+        assertNotNull(code);
+
+        // Now get the access token - note services3 doesn't require basic auth
+        String address2 = "https://localhost:"; + JCACHE_PORT + "/services3/";
+        client = WebClient.create(address2, OAuth2TestUtils.setupProviders(), 
busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        try {
+            OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, 
"consumer-id", null);
             fail("Failure expected on a missing verifier");
         } catch (Exception ex) {
             // expected
         }
     }
 
+    @org.junit.Test
+    public void testPKCEDigestDifferentVerifier() throws Exception {
+        URL busFile = PublicClientTest.class.getResource("publicclient.xml");
+
+        String address = "https://localhost:"; + JCACHE_PORT + "/services/";
+        WebClient client = WebClient.create(address, 
OAuth2TestUtils.setupProviders(),
+                                            "alice", "security", 
busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        // Get Authorization Code
+        AuthorizationCodeParameters parameters = new 
AuthorizationCodeParameters();
+        parameters.setConsumerId("consumer-id");
+        String codeVerifier = 
Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
+        CodeVerifierTransformer transformer = new DigestCodeVerifier();
+        String codeChallenge = transformer.transformCodeVerifier(codeVerifier);
+        parameters.setCodeChallenge(codeChallenge);
+        parameters.setCodeChallengeMethod(transformer.getChallengeMethod());
+        parameters.setResponseType("code");
+        parameters.setPath("authorize/");
+
+        String location = OAuth2TestUtils.getLocation(client, parameters);
+        String code = OAuth2TestUtils.getSubstring(location, "code");
+        assertNotNull(code);
+
+        // Now get the access token - note services3 doesn't require basic auth
+        String address2 = "https://localhost:"; + JCACHE_PORT + "/services3/";
+        client = WebClient.create(address2, OAuth2TestUtils.setupProviders(), 
busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        try {
+            codeVerifier = 
Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
+            OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, 
"consumer-id", null, codeVerifier);
+            fail("Failure expected on a different verifier");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+
     //
     // Server implementations
     //
diff --git 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
index 905349f..32d2bba 100644
--- 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
+++ 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
@@ -145,5 +145,38 @@ under the License.
        </jaxrs:properties>
    </jaxrs:server>
    
+   <bean id="digestVerifier" 
class="org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier" />
+   <bean id="codeGrantHandler" 
class="org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+      <property name="codeVerifierTransformer" ref="digestVerifier"/>
+   </bean>
+   
+   <bean id="digestTokenService" 
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+      <property name="dataProvider" ref="oauthProvider"/>
+      <property name="canSupportPublicClients" value="true"/>
+      <property name="grantHandlers">
+         <list>
+             <ref bean="codeGrantHandler"/>
+         </list>
+      </property>
+   </bean>
+   
+   <jaxrs:server 
+       depends-on="tls-config" 
+       
address="https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public}/services3";>
+       <jaxrs:serviceBeans>
+           <ref bean="digestTokenService"/>
+       </jaxrs:serviceBeans>
+       <jaxrs:properties>
+           <entry key="security.signature.properties" 
+                  
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+           <entry key="rs.security.keystore.type" value="jks" />
+           <entry key="rs.security.keystore.alias" value="alice"/>
+           <entry key="rs.security.keystore.password" value="password"/>
+           <entry key="rs.security.keystore.file" value="keys/alice.jks" />
+           <entry key="rs.security.signature.algorithm" value="RS256" />
+       </jaxrs:properties>
+   </jaxrs:server>
+   
 
 </beans>

Reply via email to