use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.
the class TokenHandlerTest method shouldReturn400IfRedirectUriDoesNotMatchRedirectUriFromAuthRequest.
@Test
public void shouldReturn400IfRedirectUriDoesNotMatchRedirectUriFromAuthRequest() throws JOSEException {
KeyPair keyPair = generateRsaKeyPair();
PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
ClientRegistry clientRegistry = generateClientRegistry(keyPair, false);
when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.of(clientRegistry));
when(tokenService.getClientIDFromPrivateKeyJWT(anyString())).thenReturn(Optional.of(CLIENT_ID));
when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(BASE_URI), eq(CLIENT_ID))).thenReturn(Optional.empty());
String authCode = new AuthorizationCode().toString();
when(authorisationCodeService.getExchangeDataForCode(authCode)).thenReturn(Optional.of(new AuthCodeExchangeData().setEmail(TEST_EMAIL).setClientSessionId(CLIENT_SESSION_ID).setClientSession(new ClientSession(generateAuthRequest().toParameters(), LocalDateTime.now(), mock(VectorOfTrust.class)))));
APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, authCode, "http://invalid-redirect-uri", CLIENT_ID, true);
assertThat(result, hasStatus(400));
assertThat(result, hasBody(OAuth2Error.INVALID_GRANT.toJSONObject().toJSONString()));
}
use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.
the class TokenHandlerTest method shouldReturn200ForSuccessfulDocAppJourneyTokenRequest.
@Test
void shouldReturn200ForSuccessfulDocAppJourneyTokenRequest() throws JOSEException {
KeyPair keyPair = generateRsaKeyPair();
UserProfile userProfile = generateUserProfile();
SignedJWT signedJWT = generateIDToken(DOC_APP_CLIENT_ID.getValue(), PUBLIC_SUBJECT, "issuer-url", new ECKeyGenerator(Curve.P_256).algorithm(JWSAlgorithm.ES256).generate());
OIDCTokenResponse tokenResponse = new OIDCTokenResponse(new OIDCTokens(signedJWT, accessToken, refreshToken));
PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
ClientRegistry clientRegistry = generateClientRegistry(keyPair, false);
when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
when(clientService.getClient(DOC_APP_CLIENT_ID.getValue())).thenReturn(Optional.of(clientRegistry));
when(tokenService.getClientIDFromPrivateKeyJWT(anyString())).thenReturn(Optional.of(DOC_APP_CLIENT_ID.getValue()));
when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(BASE_URI), eq(DOC_APP_CLIENT_ID.getValue()))).thenReturn(Optional.empty());
String authCode = new AuthorizationCode().toString();
AuthorizationRequest authenticationRequest = generateRequestObjectAuthRequest();
VectorOfTrust vtr = VectorOfTrust.parseFromAuthRequestAttribute(authenticationRequest.getCustomParameter("vtr"));
ClientSession clientSession = new ClientSession(authenticationRequest.toParameters(), LocalDateTime.now(), vtr);
clientSession.setDocAppSubjectId(DOC_APP_USER_PUBLIC_SUBJECT);
when(authorisationCodeService.getExchangeDataForCode(authCode)).thenReturn(Optional.of(new AuthCodeExchangeData().setEmail(TEST_EMAIL).setClientSessionId(CLIENT_SESSION_ID).setClientSession(clientSession)));
when(dynamoService.getUserProfileByEmail(TEST_EMAIL)).thenReturn(userProfile);
when(tokenService.generateTokenResponse(DOC_APP_CLIENT_ID.getValue(), DOC_APP_USER_PUBLIC_SUBJECT, new Scope(OIDCScopeValue.OPENID, DOC_CHECKING_APP), Map.of(), DOC_APP_USER_PUBLIC_SUBJECT, vtr.retrieveVectorOfTrustForToken(), null, false, null, true)).thenReturn(tokenResponse);
APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, authCode, DOC_APP_CLIENT_ID.getValue(), true);
assertThat(result, hasStatus(200));
assertTrue(result.getBody().contains(refreshToken.getValue()));
assertTrue(result.getBody().contains(accessToken.getValue()));
}
use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.
the class TokenHandlerTest method shouldReturn400IfClientIsNotValid.
@Test
public void shouldReturn400IfClientIsNotValid() throws JOSEException {
when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.empty());
KeyPair keyPair = generateRsaKeyPair();
PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, new AuthorizationCode().toString(), CLIENT_ID, true);
assertEquals(400, result.getStatusCode());
assertThat(result, hasBody(OAuth2Error.INVALID_CLIENT.toJSONObject().toJSONString()));
}
use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.
the class TokenHandlerTest method shouldReturn200ForSuccessfulRefreshTokenRequest.
@ParameterizedTest
@NullSource
@ValueSource(strings = { CLIENT_ID })
public void shouldReturn200ForSuccessfulRefreshTokenRequest(String clientId) throws JOSEException, ParseException, Json.JsonException {
SignedJWT signedRefreshToken = createSignedRefreshToken();
KeyPair keyPair = generateRsaKeyPair();
RefreshToken refreshToken = new RefreshToken(signedRefreshToken.serialize());
OIDCTokenResponse tokenResponse = new OIDCTokenResponse(new OIDCTokens(accessToken, refreshToken));
PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
ClientRegistry clientRegistry = generateClientRegistry(keyPair, false);
when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.of(clientRegistry));
when(tokenService.getClientIDFromPrivateKeyJWT(anyString())).thenReturn(Optional.of(CLIENT_ID));
when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(BASE_URI), eq(CLIENT_ID))).thenReturn(Optional.empty());
when(tokenValidationService.validateRefreshTokenSignatureAndExpiry(refreshToken)).thenReturn(true);
when(tokenValidationService.validateRefreshTokenScopes(SCOPES.toStringList(), SCOPES.toStringList())).thenReturn(true);
RefreshTokenStore tokenStore = new RefreshTokenStore(refreshToken.getValue(), INTERNAL_SUBJECT.getValue());
String tokenStoreString = objectMapper.writeValueAsString(tokenStore);
when(redisConnectionService.popValue(REFRESH_TOKEN_PREFIX + CLIENT_ID + "." + PUBLIC_SUBJECT.getValue())).thenReturn(null);
String redisKey = REFRESH_TOKEN_PREFIX + signedRefreshToken.getJWTClaimsSet().getJWTID();
when(redisConnectionService.popValue(redisKey)).thenReturn(tokenStoreString);
when(tokenService.generateRefreshTokenResponse(eq(CLIENT_ID), eq(INTERNAL_SUBJECT), eq(SCOPES.toStringList()), eq(PUBLIC_SUBJECT))).thenReturn(tokenResponse);
APIGatewayProxyResponseEvent result = generateApiGatewayRefreshRequest(privateKeyJWT, refreshToken.getValue(), clientId);
assertThat(result, hasStatus(200));
assertTrue(result.getBody().contains(refreshToken.getValue()));
assertTrue(result.getBody().contains(accessToken.getValue()));
}
use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.
the class TokenHandlerTest method shouldReturn400IfSignatureOfPrivateKeyJWTCantBeVerified.
@Test
public void shouldReturn400IfSignatureOfPrivateKeyJWTCantBeVerified() throws JOSEException {
KeyPair keyPairOne = generateRsaKeyPair();
KeyPair keyPairTwo = generateRsaKeyPair();
ClientRegistry clientRegistry = generateClientRegistry(keyPairTwo, false);
PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPairOne.getPrivate());
when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.of(clientRegistry));
when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(TOKEN_URI), eq(CLIENT_ID))).thenReturn(Optional.of(OAuth2Error.INVALID_CLIENT));
APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, new AuthorizationCode().toString(), CLIENT_ID, true);
assertThat(result, hasStatus(400));
assertThat(result, hasBody(OAuth2Error.INVALID_CLIENT.toJSONObject().toJSONString()));
}
Aggregations