Search in sources :

Example 46 with APIGatewayProxyResponseEvent

use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.

the class TokenHandlerTest method shouldReturn400IfRedirectUriDoesNotMatchRedirectUriFromAuthRequest.

@Test
public void shouldReturn400IfRedirectUriDoesNotMatchRedirectUriFromAuthRequest() throws JOSEException {
    KeyPair keyPair = generateRsaKeyPair();
    PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
    ClientRegistry clientRegistry = generateClientRegistry(keyPair, false);
    when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
    when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.of(clientRegistry));
    when(tokenService.getClientIDFromPrivateKeyJWT(anyString())).thenReturn(Optional.of(CLIENT_ID));
    when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(BASE_URI), eq(CLIENT_ID))).thenReturn(Optional.empty());
    String authCode = new AuthorizationCode().toString();
    when(authorisationCodeService.getExchangeDataForCode(authCode)).thenReturn(Optional.of(new AuthCodeExchangeData().setEmail(TEST_EMAIL).setClientSessionId(CLIENT_SESSION_ID).setClientSession(new ClientSession(generateAuthRequest().toParameters(), LocalDateTime.now(), mock(VectorOfTrust.class)))));
    APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, authCode, "http://invalid-redirect-uri", CLIENT_ID, true);
    assertThat(result, hasStatus(400));
    assertThat(result, hasBody(OAuth2Error.INVALID_GRANT.toJSONObject().toJSONString()));
}
Also used : AuthCodeExchangeData(uk.gov.di.authentication.shared.entity.AuthCodeExchangeData) AuthorizationCode(com.nimbusds.oauth2.sdk.AuthorizationCode) KeyPair(java.security.KeyPair) ClientSession(uk.gov.di.authentication.shared.entity.ClientSession) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) ClientRegistry(uk.gov.di.authentication.shared.entity.ClientRegistry) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) APIGatewayProxyResponseEvent(com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 47 with APIGatewayProxyResponseEvent

use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.

the class TokenHandlerTest method shouldReturn200ForSuccessfulDocAppJourneyTokenRequest.

@Test
void shouldReturn200ForSuccessfulDocAppJourneyTokenRequest() throws JOSEException {
    KeyPair keyPair = generateRsaKeyPair();
    UserProfile userProfile = generateUserProfile();
    SignedJWT signedJWT = generateIDToken(DOC_APP_CLIENT_ID.getValue(), PUBLIC_SUBJECT, "issuer-url", new ECKeyGenerator(Curve.P_256).algorithm(JWSAlgorithm.ES256).generate());
    OIDCTokenResponse tokenResponse = new OIDCTokenResponse(new OIDCTokens(signedJWT, accessToken, refreshToken));
    PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
    ClientRegistry clientRegistry = generateClientRegistry(keyPair, false);
    when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
    when(clientService.getClient(DOC_APP_CLIENT_ID.getValue())).thenReturn(Optional.of(clientRegistry));
    when(tokenService.getClientIDFromPrivateKeyJWT(anyString())).thenReturn(Optional.of(DOC_APP_CLIENT_ID.getValue()));
    when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(BASE_URI), eq(DOC_APP_CLIENT_ID.getValue()))).thenReturn(Optional.empty());
    String authCode = new AuthorizationCode().toString();
    AuthorizationRequest authenticationRequest = generateRequestObjectAuthRequest();
    VectorOfTrust vtr = VectorOfTrust.parseFromAuthRequestAttribute(authenticationRequest.getCustomParameter("vtr"));
    ClientSession clientSession = new ClientSession(authenticationRequest.toParameters(), LocalDateTime.now(), vtr);
    clientSession.setDocAppSubjectId(DOC_APP_USER_PUBLIC_SUBJECT);
    when(authorisationCodeService.getExchangeDataForCode(authCode)).thenReturn(Optional.of(new AuthCodeExchangeData().setEmail(TEST_EMAIL).setClientSessionId(CLIENT_SESSION_ID).setClientSession(clientSession)));
    when(dynamoService.getUserProfileByEmail(TEST_EMAIL)).thenReturn(userProfile);
    when(tokenService.generateTokenResponse(DOC_APP_CLIENT_ID.getValue(), DOC_APP_USER_PUBLIC_SUBJECT, new Scope(OIDCScopeValue.OPENID, DOC_CHECKING_APP), Map.of(), DOC_APP_USER_PUBLIC_SUBJECT, vtr.retrieveVectorOfTrustForToken(), null, false, null, true)).thenReturn(tokenResponse);
    APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, authCode, DOC_APP_CLIENT_ID.getValue(), true);
    assertThat(result, hasStatus(200));
    assertTrue(result.getBody().contains(refreshToken.getValue()));
    assertTrue(result.getBody().contains(accessToken.getValue()));
}
Also used : AuthorizationCode(com.nimbusds.oauth2.sdk.AuthorizationCode) KeyPair(java.security.KeyPair) AuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest) UserProfile(uk.gov.di.authentication.shared.entity.UserProfile) OIDCTokenResponse(com.nimbusds.openid.connect.sdk.OIDCTokenResponse) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) VectorOfTrust(uk.gov.di.authentication.shared.entity.VectorOfTrust) RequestObjectTestHelper.generateSignedJWT(uk.gov.di.authentication.oidc.helper.RequestObjectTestHelper.generateSignedJWT) SignedJWT(com.nimbusds.jwt.SignedJWT) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) APIGatewayProxyResponseEvent(com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent) AuthCodeExchangeData(uk.gov.di.authentication.shared.entity.AuthCodeExchangeData) Scope(com.nimbusds.oauth2.sdk.Scope) OIDCTokens(com.nimbusds.openid.connect.sdk.token.OIDCTokens) ClientSession(uk.gov.di.authentication.shared.entity.ClientSession) ClientRegistry(uk.gov.di.authentication.shared.entity.ClientRegistry) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 48 with APIGatewayProxyResponseEvent

use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.

the class TokenHandlerTest method shouldReturn400IfClientIsNotValid.

@Test
public void shouldReturn400IfClientIsNotValid() throws JOSEException {
    when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
    when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.empty());
    KeyPair keyPair = generateRsaKeyPair();
    PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
    APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, new AuthorizationCode().toString(), CLIENT_ID, true);
    assertEquals(400, result.getStatusCode());
    assertThat(result, hasBody(OAuth2Error.INVALID_CLIENT.toJSONObject().toJSONString()));
}
Also used : AuthorizationCode(com.nimbusds.oauth2.sdk.AuthorizationCode) KeyPair(java.security.KeyPair) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) APIGatewayProxyResponseEvent(com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 49 with APIGatewayProxyResponseEvent

use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.

the class TokenHandlerTest method shouldReturn200ForSuccessfulRefreshTokenRequest.

@ParameterizedTest
@NullSource
@ValueSource(strings = { CLIENT_ID })
public void shouldReturn200ForSuccessfulRefreshTokenRequest(String clientId) throws JOSEException, ParseException, Json.JsonException {
    SignedJWT signedRefreshToken = createSignedRefreshToken();
    KeyPair keyPair = generateRsaKeyPair();
    RefreshToken refreshToken = new RefreshToken(signedRefreshToken.serialize());
    OIDCTokenResponse tokenResponse = new OIDCTokenResponse(new OIDCTokens(accessToken, refreshToken));
    PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
    ClientRegistry clientRegistry = generateClientRegistry(keyPair, false);
    when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
    when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.of(clientRegistry));
    when(tokenService.getClientIDFromPrivateKeyJWT(anyString())).thenReturn(Optional.of(CLIENT_ID));
    when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(BASE_URI), eq(CLIENT_ID))).thenReturn(Optional.empty());
    when(tokenValidationService.validateRefreshTokenSignatureAndExpiry(refreshToken)).thenReturn(true);
    when(tokenValidationService.validateRefreshTokenScopes(SCOPES.toStringList(), SCOPES.toStringList())).thenReturn(true);
    RefreshTokenStore tokenStore = new RefreshTokenStore(refreshToken.getValue(), INTERNAL_SUBJECT.getValue());
    String tokenStoreString = objectMapper.writeValueAsString(tokenStore);
    when(redisConnectionService.popValue(REFRESH_TOKEN_PREFIX + CLIENT_ID + "." + PUBLIC_SUBJECT.getValue())).thenReturn(null);
    String redisKey = REFRESH_TOKEN_PREFIX + signedRefreshToken.getJWTClaimsSet().getJWTID();
    when(redisConnectionService.popValue(redisKey)).thenReturn(tokenStoreString);
    when(tokenService.generateRefreshTokenResponse(eq(CLIENT_ID), eq(INTERNAL_SUBJECT), eq(SCOPES.toStringList()), eq(PUBLIC_SUBJECT))).thenReturn(tokenResponse);
    APIGatewayProxyResponseEvent result = generateApiGatewayRefreshRequest(privateKeyJWT, refreshToken.getValue(), clientId);
    assertThat(result, hasStatus(200));
    assertTrue(result.getBody().contains(refreshToken.getValue()));
    assertTrue(result.getBody().contains(accessToken.getValue()));
}
Also used : RefreshTokenStore(uk.gov.di.authentication.shared.entity.RefreshTokenStore) KeyPair(java.security.KeyPair) RefreshToken(com.nimbusds.oauth2.sdk.token.RefreshToken) OIDCTokenResponse(com.nimbusds.openid.connect.sdk.OIDCTokenResponse) OIDCTokens(com.nimbusds.openid.connect.sdk.token.OIDCTokens) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) ClientRegistry(uk.gov.di.authentication.shared.entity.ClientRegistry) RequestObjectTestHelper.generateSignedJWT(uk.gov.di.authentication.oidc.helper.RequestObjectTestHelper.generateSignedJWT) SignedJWT(com.nimbusds.jwt.SignedJWT) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) APIGatewayProxyResponseEvent(com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent) ValueSource(org.junit.jupiter.params.provider.ValueSource) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) NullSource(org.junit.jupiter.params.provider.NullSource)

Example 50 with APIGatewayProxyResponseEvent

use of com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent in project di-authentication-api by alphagov.

the class TokenHandlerTest method shouldReturn400IfSignatureOfPrivateKeyJWTCantBeVerified.

@Test
public void shouldReturn400IfSignatureOfPrivateKeyJWTCantBeVerified() throws JOSEException {
    KeyPair keyPairOne = generateRsaKeyPair();
    KeyPair keyPairTwo = generateRsaKeyPair();
    ClientRegistry clientRegistry = generateClientRegistry(keyPairTwo, false);
    PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPairOne.getPrivate());
    when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.of(clientRegistry));
    when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(TOKEN_URI), eq(CLIENT_ID))).thenReturn(Optional.of(OAuth2Error.INVALID_CLIENT));
    APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, new AuthorizationCode().toString(), CLIENT_ID, true);
    assertThat(result, hasStatus(400));
    assertThat(result, hasBody(OAuth2Error.INVALID_CLIENT.toJSONObject().toJSONString()));
}
Also used : AuthorizationCode(com.nimbusds.oauth2.sdk.AuthorizationCode) KeyPair(java.security.KeyPair) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) ClientRegistry(uk.gov.di.authentication.shared.entity.ClientRegistry) APIGatewayProxyResponseEvent(com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Aggregations

APIGatewayProxyResponseEvent (com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent)260 Test (org.junit.jupiter.api.Test)214 APIGatewayProxyRequestEvent (com.amazonaws.services.lambda.runtime.events.APIGatewayProxyRequestEvent)182 HashMap (java.util.HashMap)56 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)43 ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)30 ErrorObject (com.nimbusds.oauth2.sdk.ErrorObject)22 URI (java.net.URI)21 NotifyRequest (uk.gov.di.authentication.shared.entity.NotifyRequest)17 UserProfile (uk.gov.di.authentication.shared.entity.UserProfile)17 Map (java.util.Map)16 ClientRegistry (uk.gov.di.authentication.shared.entity.ClientRegistry)14 ClientSession (uk.gov.di.authentication.shared.entity.ClientSession)14 Context (com.amazonaws.services.lambda.runtime.Context)13 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)13 AuthenticationRequest (com.nimbusds.openid.connect.sdk.AuthenticationRequest)13 NotifyRequest (uk.gov.di.accountmanagement.entity.NotifyRequest)13 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)12 Subject (com.nimbusds.oauth2.sdk.id.Subject)12 URIBuilder (org.apache.http.client.utils.URIBuilder)11