Search in sources :

Example 16 with ClientRegistration

use of com.gw2auth.oauth2.server.service.client.registration.ClientRegistration in project oauth2-server by gw2auth.

the class ApiTokenController method getApiTokens.

@GetMapping(value = "/api/token", produces = MediaType.APPLICATION_JSON_VALUE)
public List<ApiTokenResponse> getApiTokens(@AuthenticationPrincipal Gw2AuthUser user) {
    final List<ApiToken> apiTokens = this.apiTokenService.getApiTokens(user.getAccountId());
    // get all gw2 account ids for authorization batch lookup
    final Set<UUID> gw2AccountIds = apiTokens.stream().map(ApiToken::gw2AccountId).collect(Collectors.toSet());
    // aggregate authorizations for later lookup
    final List<ClientAuthorization> clientAuthorizations = this.clientAuthorizationService.getClientAuthorizations(user.getAccountId(), gw2AccountIds);
    final Set<Long> clientRegistrationIds = new HashSet<>(clientAuthorizations.size());
    final Map<UUID, Set<Long>> clientRegistrationIdsByGw2AccountId = new HashMap<>(clientAuthorizations.size());
    for (ClientAuthorization clientAuthorization : clientAuthorizations) {
        clientRegistrationIds.add(clientAuthorization.clientRegistrationId());
        for (UUID gw2AccountId : clientAuthorization.gw2AccountIds()) {
            clientRegistrationIdsByGw2AccountId.computeIfAbsent(gw2AccountId, (k) -> new HashSet<>()).add(clientAuthorization.clientRegistrationId());
        }
    }
    // find all client registrations for the registration ids and remember them by id
    final Map<Long, ClientRegistration> clientRegistrationById = this.clientRegistrationService.getClientRegistrations(clientRegistrationIds).stream().collect(Collectors.toMap(ClientRegistration::id, Function.identity()));
    // find all verified gw2 account ids for this account (better than querying for every single one)
    final Set<UUID> verifiedGw2AccountIds = this.verificationService.getVerifiedGw2AccountIds(user.getAccountId());
    final List<ApiTokenResponse> response = new ArrayList<>(apiTokens.size());
    for (ApiToken apiToken : apiTokens) {
        final Set<Long> clientRegistrationIdsForThisToken = clientRegistrationIdsByGw2AccountId.get(apiToken.gw2AccountId());
        final List<ApiTokenResponse.Authorization> authorizations;
        if (clientRegistrationIdsForThisToken != null && !clientRegistrationIdsForThisToken.isEmpty()) {
            authorizations = new ArrayList<>(clientRegistrationIdsForThisToken.size());
            for (long clientRegistrationId : clientRegistrationIdsForThisToken) {
                final ClientRegistration clientRegistration = clientRegistrationById.get(clientRegistrationId);
                if (clientRegistration != null) {
                    authorizations.add(ApiTokenResponse.Authorization.create(clientRegistration));
                }
            }
        } else {
            authorizations = List.of();
        }
        response.add(ApiTokenResponse.create(apiToken, verifiedGw2AccountIds.contains(apiToken.gw2AccountId()), authorizations));
    }
    return response;
}
Also used : Gw2AuthUser(com.gw2auth.oauth2.server.service.user.Gw2AuthUser) AbstractRestController(com.gw2auth.oauth2.server.web.AbstractRestController) java.util(java.util) ApiTokenService(com.gw2auth.oauth2.server.service.apitoken.ApiTokenService) ClientAuthorizationService(com.gw2auth.oauth2.server.service.client.authorization.ClientAuthorizationService) MediaType(org.springframework.http.MediaType) Autowired(org.springframework.beans.factory.annotation.Autowired) ClientRegistrationService(com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationService) Function(java.util.function.Function) Collectors(java.util.stream.Collectors) VerificationService(com.gw2auth.oauth2.server.service.verification.VerificationService) ApiToken(com.gw2auth.oauth2.server.service.apitoken.ApiToken) AuthenticationPrincipal(org.springframework.security.core.annotation.AuthenticationPrincipal) org.springframework.web.bind.annotation(org.springframework.web.bind.annotation) ClientRegistration(com.gw2auth.oauth2.server.service.client.registration.ClientRegistration) ClientAuthorization(com.gw2auth.oauth2.server.service.client.authorization.ClientAuthorization) ClientAuthorization(com.gw2auth.oauth2.server.service.client.authorization.ClientAuthorization) ClientAuthorization(com.gw2auth.oauth2.server.service.client.authorization.ClientAuthorization) ClientRegistration(com.gw2auth.oauth2.server.service.client.registration.ClientRegistration) ApiToken(com.gw2auth.oauth2.server.service.apitoken.ApiToken)

Example 17 with ClientRegistration

use of com.gw2auth.oauth2.server.service.client.registration.ClientRegistration in project oauth2-server by gw2auth.

the class OAuth2ServerTest method consentSubmitAndHappyFlow.

@WithGw2AuthLogin
public void consentSubmitAndHappyFlow(MockHttpSession session) throws Exception {
    final long accountId = AuthenticationHelper.getUser(session).orElseThrow().getAccountId();
    final ClientRegistrationCreation clientRegistrationCreation = createClientRegistration();
    final ClientRegistration clientRegistration = clientRegistrationCreation.clientRegistration();
    // perform authorization request (which should redirect to the consent page)
    MvcResult result = performAuthorizeWithClient(session, clientRegistration, List.of(Gw2ApiPermission.ACCOUNT.oauth2())).andReturn();
    // submit the consent
    final String tokenA = TestHelper.randomRootToken();
    final String tokenB = TestHelper.randomRootToken();
    final String tokenC = TestHelper.randomRootToken();
    result = performSubmitConsent(session, clientRegistration, URI.create(Objects.requireNonNull(result.getResponse().getRedirectedUrl())), tokenA, tokenB, tokenC).andReturn();
    // verify the consent has been saved
    final ClientConsentEntity clientConsentEntity = this.clientConsentRepository.findByAccountIdAndClientRegistrationId(accountId, clientRegistration.id()).orElse(null);
    assertNotNull(clientConsentEntity);
    assertEquals(Set.of(Gw2ApiPermission.ACCOUNT.oauth2()), clientConsentEntity.authorizedScopes());
    // verify the authorization has been saved
    final List<ClientAuthorizationEntity> authorizations = this.clientAuthorizationRepository.findAllByAccountIdAndClientRegistrationId(accountId, clientConsentEntity.clientRegistrationId());
    assertEquals(1, authorizations.size());
    final ClientAuthorizationEntity clientAuthorization = authorizations.get(0);
    assertEquals(Set.of(Gw2ApiPermission.ACCOUNT.oauth2()), clientAuthorization.authorizedScopes());
    // verify the tokens have been saved
    List<ClientAuthorizationTokenEntity> clientAuthorizationTokenEntities = this.clientAuthorizationTokenRepository.findAllByAccountIdAndClientAuthorizationId(accountId, clientAuthorization.id());
    assertEquals(2, clientAuthorizationTokenEntities.size());
    // set testing clock to token customizer
    final Clock testingClock = Clock.fixed(Instant.now(), ZoneId.systemDefault());
    this.oAuth2TokenCustomizerService.setClock(testingClock);
    // retrieve the initial access and refresh token
    final String dummySubtokenA = TestHelper.createSubtokenJWT(this.gw2AccountId1st, Set.of(Gw2ApiPermission.ACCOUNT), testingClock.instant(), Duration.ofMinutes(30L));
    final String dummySubtokenB = TestHelper.createSubtokenJWT(this.gw2AccountId2nd, Set.of(Gw2ApiPermission.ACCOUNT), testingClock.instant(), Duration.ofMinutes(30L));
    result = performRetrieveTokenByCodeAndExpectValid(clientRegistrationCreation, URI.create(Objects.requireNonNull(result.getResponse().getRedirectedUrl())), Map.of(tokenA, dummySubtokenA, tokenB, dummySubtokenB)).andReturn();
    // verify the subtokens have been saved
    final Set<String> subTokens = this.apiSubTokenRepository.findAllByAccountIdGw2AccountIdsAndGw2ApiPermissionsBitSet(accountId, Set.of(this.gw2AccountId1st, this.gw2AccountId2nd), Gw2ApiPermission.toBitSet(Set.of(Gw2ApiPermission.ACCOUNT))).stream().map(ApiSubTokenEntity::gw2ApiSubtoken).collect(Collectors.toSet());
    assertEquals(2, subTokens.size());
    assertTrue(subTokens.contains(dummySubtokenA));
    assertTrue(subTokens.contains(dummySubtokenB));
    // verify the validity status has been saved
    final List<ApiTokenEntity> apiTokenEntities = this.apiTokenRepository.findAllByAccountIdAndGw2AccountIds(accountId, Set.of(this.gw2AccountId1st, this.gw2AccountId2nd));
    assertEquals(2, apiTokenEntities.size());
    assertTrue(apiTokenEntities.get(0).isValid());
    assertInstantEquals(testingClock.instant(), apiTokenEntities.get(0).lastValidCheckTime());
    assertTrue(apiTokenEntities.get(1).isValid());
    assertInstantEquals(testingClock.instant(), apiTokenEntities.get(1).lastValidCheckTime());
    // verify the access token
    JsonNode tokenResponse = assertTokenResponse(result, () -> Map.of(this.gw2AccountId1st, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "First", "token", dummySubtokenA)), this.gw2AccountId2nd, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "Second", "token", dummySubtokenB))));
    // retrieve a new access token using the refresh token
    final String refreshToken = tokenResponse.get("refresh_token").textValue();
    result = performRetrieveTokensByRefreshTokenAndExpectValid(clientRegistrationCreation, refreshToken).andReturn();
    tokenResponse = assertTokenResponse(result, () -> Map.of(this.gw2AccountId1st, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "First", "token", dummySubtokenA)), this.gw2AccountId2nd, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "Second", "token", dummySubtokenB))));
    assertNotEquals(refreshToken, tokenResponse.get("refresh_token").textValue());
}
Also used : ApiTokenEntity(com.gw2auth.oauth2.server.repository.apitoken.ApiTokenEntity) JsonNode(com.fasterxml.jackson.databind.JsonNode) MvcResult(org.springframework.test.web.servlet.MvcResult) Clock(java.time.Clock) ClientRegistrationCreation(com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationCreation) ClientAuthorizationEntity(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationEntity) ClientRegistration(com.gw2auth.oauth2.server.service.client.registration.ClientRegistration) JSONObject(org.json.JSONObject) ClientAuthorizationTokenEntity(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationTokenEntity) ClientConsentEntity(com.gw2auth.oauth2.server.repository.client.consent.ClientConsentEntity)

Example 18 with ClientRegistration

use of com.gw2auth.oauth2.server.service.client.registration.ClientRegistration in project oauth2-server by gw2auth.

the class OAuth2ServerTest method consentSubmitWithUnexpectedGW2APIException.

@WithGw2AuthLogin
public void consentSubmitWithUnexpectedGW2APIException(MockHttpSession session) throws Exception {
    final long accountId = AuthenticationHelper.getUser(session).orElseThrow().getAccountId();
    final ClientRegistrationCreation clientRegistrationCreation = createClientRegistration();
    final ClientRegistration clientRegistration = clientRegistrationCreation.clientRegistration();
    // perform authorization request (which should redirect to the consent page)
    MvcResult result = performAuthorizeWithClient(session, clientRegistration, List.of(Gw2ApiPermission.ACCOUNT.oauth2())).andReturn();
    // submit the consent
    final String tokenA = TestHelper.randomRootToken();
    final String tokenB = TestHelper.randomRootToken();
    final String tokenC = TestHelper.randomRootToken();
    result = performSubmitConsent(session, clientRegistration, URI.create(Objects.requireNonNull(result.getResponse().getRedirectedUrl())), tokenA, tokenB, tokenC).andReturn();
    // verify the consent has been saved
    final ClientConsentEntity clientConsentEntity = this.clientConsentRepository.findByAccountIdAndClientRegistrationId(accountId, clientRegistration.id()).orElse(null);
    assertNotNull(clientConsentEntity);
    assertEquals(Set.of(Gw2ApiPermission.ACCOUNT.oauth2()), clientConsentEntity.authorizedScopes());
    // verify the authorization has been saved
    final List<ClientAuthorizationEntity> authorizations = this.clientAuthorizationRepository.findAllByAccountIdAndClientRegistrationId(accountId, clientConsentEntity.clientRegistrationId());
    assertEquals(1, authorizations.size());
    final ClientAuthorizationEntity clientAuthorization = authorizations.get(0);
    assertEquals(Set.of(Gw2ApiPermission.ACCOUNT.oauth2()), clientAuthorization.authorizedScopes());
    List<ClientAuthorizationTokenEntity> clientAuthorizationTokenEntities = this.clientAuthorizationTokenRepository.findAllByAccountIdAndClientAuthorizationId(accountId, clientAuthorization.id());
    assertEquals(2, clientAuthorizationTokenEntities.size());
    // set testing clock to token customizer
    final Clock testingClock = Clock.fixed(Instant.now(), ZoneId.systemDefault());
    this.oAuth2TokenCustomizerService.setClock(testingClock);
    // prepare the gw2 api for the next requests
    final String dummySubtokenA = TestHelper.createSubtokenJWT(this.gw2AccountId1st, Set.of(Gw2ApiPermission.ACCOUNT), testingClock.instant(), Duration.ofMinutes(30L));
    this.gw2RestServer.reset();
    this.gw2RestServer.expect(times(2), requestTo(new StringStartsWith("/v2/createsubtoken"))).andExpect(method(HttpMethod.GET)).andExpect(MockRestRequestMatchers.header("Authorization", new StringStartsWith("Bearer "))).andExpect(queryParam("permissions", split(",", containingAll(Gw2ApiPermission.ACCOUNT.gw2())))).andExpect(queryParam("expire", asInstant(instantWithinTolerance(Instant.now().plus(Duration.ofMinutes(30L)), Duration.ofSeconds(5L))))).andRespond((request) -> {
        final String gw2ApiToken = request.getHeaders().getFirst("Authorization").replaceFirst("Bearer ", "");
        final String subtoken;
        if (gw2ApiToken.equals(tokenA)) {
            subtoken = dummySubtokenA;
        } else if (gw2ApiToken.equals(tokenB)) {
            throw new RuntimeException("unexpected exception");
        } else {
            subtoken = null;
        }
        if (subtoken == null || subtoken.isEmpty()) {
            return new MockClientHttpResponse(new byte[0], HttpStatus.UNAUTHORIZED);
        }
        final MockClientHttpResponse response = new MockClientHttpResponse(new JSONObject(Map.of("subtoken", subtoken)).toString().getBytes(StandardCharsets.UTF_8), HttpStatus.OK);
        response.getHeaders().setContentType(MediaType.APPLICATION_JSON);
        return response;
    });
    // retrieve the initial access and refresh token
    final String codeParam = Utils.parseQuery(URI.create(Objects.requireNonNull(result.getResponse().getRedirectedUrl())).getRawQuery()).filter(QueryParam::hasValue).filter((queryParam) -> queryParam.name().equals(OAuth2ParameterNames.CODE)).map(QueryParam::value).findFirst().orElse(null);
    assertNotNull(codeParam);
    // retrieve an access token
    // dont use the user session here!
    result = this.mockMvc.perform(post("/oauth2/token").queryParam(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()).queryParam(OAuth2ParameterNames.CODE, codeParam).queryParam(OAuth2ParameterNames.CLIENT_ID, clientRegistrationCreation.clientRegistration().clientId().toString()).queryParam(OAuth2ParameterNames.CLIENT_SECRET, clientRegistrationCreation.clientSecret()).queryParam(OAuth2ParameterNames.REDIRECT_URI, TestHelper.first(clientRegistrationCreation.clientRegistration().redirectUris()).orElseThrow())).andExpectAll(expectValidTokenResponse()).andReturn();
    // verify the subtokens have been updated
    final Set<String> savedSubtokens = this.apiSubTokenRepository.findAllByAccountIdGw2AccountIdsAndGw2ApiPermissionsBitSet(accountId, Set.of(this.gw2AccountId1st, this.gw2AccountId2nd), Gw2ApiPermission.toBitSet(Set.of(Gw2ApiPermission.ACCOUNT))).stream().map(ApiSubTokenEntity::gw2ApiSubtoken).collect(Collectors.toSet());
    assertEquals(1, savedSubtokens.size());
    assertTrue(savedSubtokens.contains(dummySubtokenA));
    // verify the validity status has been saved
    final List<ApiTokenEntity> apiTokenEntities = this.apiTokenRepository.findAllByAccountIdAndGw2AccountIds(accountId, Set.of(this.gw2AccountId1st, this.gw2AccountId2nd));
    assertEquals(2, apiTokenEntities.size());
    for (ApiTokenEntity apiTokenEntity : apiTokenEntities) {
        if (apiTokenEntity.gw2AccountId().equals(this.gw2AccountId1st)) {
            assertTrue(apiTokenEntity.isValid());
            assertInstantEquals(testingClock.instant(), apiTokenEntity.lastValidCheckTime());
        } else {
            assertTrue(apiTokenEntity.isValid());
            assertTrue(testingClock.instant().isAfter(apiTokenEntity.lastValidCheckTime()));
        }
    }
    // verify the access token
    assertTokenResponse(result, () -> Map.of(this.gw2AccountId1st, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "First", "token", dummySubtokenA)), this.gw2AccountId2nd, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "Second", "error", "Failed to obtain new subtoken"))));
}
Also used : ApiTokenRepository(com.gw2auth.oauth2.server.repository.apitoken.ApiTokenRepository) BeforeEach(org.junit.jupiter.api.BeforeEach) MockMvcResultMatchers.jsonPath(org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath) AccountService(com.gw2auth.oauth2.server.service.account.AccountService) Autowired(org.springframework.beans.factory.annotation.Autowired) JWTParser(com.nimbusds.jwt.JWTParser) QueryParam(com.gw2auth.oauth2.server.util.QueryParam) MockHttpServletRequestBuilder(org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder) ResultActions(org.springframework.test.web.servlet.ResultActions) ClientConsentEntity(com.gw2auth.oauth2.server.repository.client.consent.ClientConsentEntity) JSONObject(org.json.JSONObject) JWT(com.nimbusds.jwt.JWT) Duration(java.time.Duration) Utils(com.gw2auth.oauth2.server.util.Utils) JsonNode(com.fasterxml.jackson.databind.JsonNode) StringEndsWith(org.hamcrest.core.StringEndsWith) URI(java.net.URI) OAuth2TokenCustomizerService(com.gw2auth.oauth2.server.service.OAuth2TokenCustomizerService) StringStartsWith(org.hamcrest.core.StringStartsWith) MediaType(org.springframework.http.MediaType) Assertions.assertInstantEquals(com.gw2auth.oauth2.server.Assertions.assertInstantEquals) MockHttpSession(org.springframework.mock.web.MockHttpSession) MockMvcResultMatchers(org.springframework.test.web.servlet.result.MockMvcResultMatchers) ClientAuthorizationTokenRepository(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationTokenRepository) Instant(java.time.Instant) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) ZoneId(java.time.ZoneId) Test(org.junit.jupiter.api.Test) ClientConsentService(com.gw2auth.oauth2.server.service.client.consent.ClientConsentService) SpringBootTest(org.springframework.boot.test.context.SpringBootTest) ClientRegistration(com.gw2auth.oauth2.server.service.client.registration.ClientRegistration) MockRestRequestMatchers(org.springframework.test.web.client.match.MockRestRequestMatchers) SecurityMockMvcRequestPostProcessors.csrf(org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf) ClientAuthorizationRepository(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationRepository) OAuth2ParameterNames(org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames) ApiSubTokenRepository(com.gw2auth.oauth2.server.repository.apisubtoken.ApiSubTokenRepository) java.util(java.util) com.gw2auth.oauth2.server(com.gw2auth.oauth2.server) ClientAuthorizationServiceImpl(com.gw2auth.oauth2.server.service.client.authorization.ClientAuthorizationServiceImpl) Gw2AccountVerificationRepository(com.gw2auth.oauth2.server.repository.verification.Gw2AccountVerificationRepository) ResultMatcher(org.springframework.test.web.servlet.ResultMatcher) AuthenticationHelper(com.gw2auth.oauth2.server.util.AuthenticationHelper) MockClientHttpResponse(org.springframework.mock.http.client.MockClientHttpResponse) ClientRegistrationService(com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationService) Supplier(java.util.function.Supplier) AllOf(org.hamcrest.core.AllOf) MockRestServiceServer(org.springframework.test.web.client.MockRestServiceServer) MockMvc(org.springframework.test.web.servlet.MockMvc) ClientConsentRepository(com.gw2auth.oauth2.server.repository.client.consent.ClientConsentRepository) RegisterExtension(org.junit.jupiter.api.extension.RegisterExtension) MockMvcRequestBuilders.post(org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post) MvcResult(org.springframework.test.web.servlet.MvcResult) IsEqual(org.hamcrest.core.IsEqual) Qualifier(org.springframework.beans.factory.annotation.Qualifier) ExpectedCount.times(org.springframework.test.web.client.ExpectedCount.times) Gw2AccountVerificationEntity(com.gw2auth.oauth2.server.repository.verification.Gw2AccountVerificationEntity) ClientAuthorizationEntity(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationEntity) MockMvcResultMatchers.header(org.springframework.test.web.servlet.result.MockMvcResultMatchers.header) ClientAuthorizationTokenEntity(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationTokenEntity) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) HttpMethod(org.springframework.http.HttpMethod) Account(com.gw2auth.oauth2.server.service.account.Account) ApiTokenEntity(com.gw2auth.oauth2.server.repository.apitoken.ApiTokenEntity) HttpStatus(org.springframework.http.HttpStatus) ApiSubTokenEntity(com.gw2auth.oauth2.server.repository.apisubtoken.ApiSubTokenEntity) AutoConfigureMockMvc(org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc) OAuth2TokenType(org.springframework.security.oauth2.core.OAuth2TokenType) ClientRegistrationCreation(com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationCreation) Gw2ApiPermission(com.gw2auth.oauth2.server.service.Gw2ApiPermission) Matchers(com.gw2auth.oauth2.server.Matchers) Assertions(org.junit.jupiter.api.Assertions) MockMvcRequestBuilders.get(org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get) Clock(java.time.Clock) AuthorizationGrantType(org.springframework.security.oauth2.core.AuthorizationGrantType) UriComponents(org.springframework.web.util.UriComponents) ApiTokenEntity(com.gw2auth.oauth2.server.repository.apitoken.ApiTokenEntity) StringStartsWith(org.hamcrest.core.StringStartsWith) MvcResult(org.springframework.test.web.servlet.MvcResult) Clock(java.time.Clock) ClientRegistrationCreation(com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationCreation) ClientAuthorizationEntity(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationEntity) ClientRegistration(com.gw2auth.oauth2.server.service.client.registration.ClientRegistration) JSONObject(org.json.JSONObject) QueryParam(com.gw2auth.oauth2.server.util.QueryParam) ClientAuthorizationTokenEntity(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationTokenEntity) ClientConsentEntity(com.gw2auth.oauth2.server.repository.client.consent.ClientConsentEntity) MockClientHttpResponse(org.springframework.mock.http.client.MockClientHttpResponse)

Example 19 with ClientRegistration

use of com.gw2auth.oauth2.server.service.client.registration.ClientRegistration in project oauth2-server by gw2auth.

the class OAuth2ServerTest method consentSubmitWithExpiredSubtokens.

@WithGw2AuthLogin
public void consentSubmitWithExpiredSubtokens(MockHttpSession session) throws Exception {
    final long accountId = AuthenticationHelper.getUser(session).orElseThrow().getAccountId();
    final ClientRegistrationCreation clientRegistrationCreation = createClientRegistration();
    final ClientRegistration clientRegistration = clientRegistrationCreation.clientRegistration();
    // perform authorization request (which should redirect to the consent page)
    MvcResult result = performAuthorizeWithClient(session, clientRegistration, List.of(Gw2ApiPermission.ACCOUNT.oauth2())).andReturn();
    // submit the consent
    final String tokenA = TestHelper.randomRootToken();
    final String tokenB = TestHelper.randomRootToken();
    final String tokenC = TestHelper.randomRootToken();
    result = performSubmitConsent(session, clientRegistration, URI.create(Objects.requireNonNull(result.getResponse().getRedirectedUrl())), tokenA, tokenB, tokenC).andReturn();
    // verify the consent has been saved
    final ClientConsentEntity clientConsentEntity = this.clientConsentRepository.findByAccountIdAndClientRegistrationId(accountId, clientRegistration.id()).orElse(null);
    assertNotNull(clientConsentEntity);
    assertEquals(Set.of(Gw2ApiPermission.ACCOUNT.oauth2()), clientConsentEntity.authorizedScopes());
    // verify the authorization has been saved
    final List<ClientAuthorizationEntity> authorizations = this.clientAuthorizationRepository.findAllByAccountIdAndClientRegistrationId(accountId, clientConsentEntity.clientRegistrationId());
    assertEquals(1, authorizations.size());
    final ClientAuthorizationEntity clientAuthorization = authorizations.get(0);
    assertEquals(Set.of(Gw2ApiPermission.ACCOUNT.oauth2()), clientAuthorization.authorizedScopes());
    List<ClientAuthorizationTokenEntity> clientAuthorizationTokenEntities = this.clientAuthorizationTokenRepository.findAllByAccountIdAndClientAuthorizationId(accountId, clientAuthorization.id());
    assertEquals(2, clientAuthorizationTokenEntities.size());
    // set testing clock to token customizer
    Clock testingClock = Clock.fixed(Instant.now(), ZoneId.systemDefault());
    this.oAuth2TokenCustomizerService.setClock(testingClock);
    // retrieve the initial access and refresh token
    final String[] dummySubtokenA = new String[] { TestHelper.createSubtokenJWT(this.gw2AccountId1st, Set.of(Gw2ApiPermission.ACCOUNT), testingClock.instant(), Duration.ofMinutes(30L)) };
    final String[] dummySubtokenB = new String[] { TestHelper.createSubtokenJWT(this.gw2AccountId2nd, Set.of(Gw2ApiPermission.ACCOUNT), testingClock.instant(), Duration.ofMinutes(30L)) };
    result = performRetrieveTokenByCodeAndExpectValid(clientRegistrationCreation, URI.create(Objects.requireNonNull(result.getResponse().getRedirectedUrl())), Map.of(tokenA, dummySubtokenA[0], tokenB, dummySubtokenB[0])).andReturn();
    // verify the subtokens have been updated
    clientAuthorizationTokenEntities = this.clientAuthorizationTokenRepository.findAllByAccountIdAndClientAuthorizationId(accountId, clientAuthorization.id());
    assertEquals(2, clientAuthorizationTokenEntities.size());
    Set<String> savedSubtokens = this.apiSubTokenRepository.findAllByAccountIdGw2AccountIdsAndGw2ApiPermissionsBitSet(accountId, Set.of(this.gw2AccountId1st, this.gw2AccountId2nd), Gw2ApiPermission.toBitSet(Set.of(Gw2ApiPermission.ACCOUNT))).stream().map(ApiSubTokenEntity::gw2ApiSubtoken).collect(Collectors.toSet());
    assertEquals(2, savedSubtokens.size());
    assertTrue(savedSubtokens.contains(dummySubtokenA[0]));
    assertTrue(savedSubtokens.contains(dummySubtokenB[0]));
    // verify the validity status has been saved
    List<ApiTokenEntity> apiTokenEntities = this.apiTokenRepository.findAllByAccountIdAndGw2AccountIds(accountId, Set.of(this.gw2AccountId1st, this.gw2AccountId2nd));
    assertEquals(2, apiTokenEntities.size());
    assertTrue(apiTokenEntities.get(0).isValid());
    assertInstantEquals(testingClock.instant(), apiTokenEntities.get(0).lastValidCheckTime());
    assertTrue(apiTokenEntities.get(1).isValid());
    assertInstantEquals(testingClock.instant(), apiTokenEntities.get(1).lastValidCheckTime());
    // verify the access token
    JsonNode tokenResponse = assertTokenResponse(result, () -> Map.of(this.gw2AccountId1st, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "First", "token", dummySubtokenA[0])), this.gw2AccountId2nd, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "Second", "token", dummySubtokenB[0]))));
    // prepare the gw2 reset api for new subtoken requests
    dummySubtokenA[0] = TestHelper.createSubtokenJWT(this.gw2AccountId1st, Set.of(Gw2ApiPermission.ACCOUNT), testingClock.instant(), Duration.ofMinutes(30L));
    dummySubtokenB[0] = TestHelper.createSubtokenJWT(this.gw2AccountId2nd, Set.of(Gw2ApiPermission.ACCOUNT), testingClock.instant(), Duration.ofMinutes(30L));
    prepareGw2RestServerForCreateSubToken(Map.of(tokenA, dummySubtokenA[0], tokenB, dummySubtokenB[0]));
    // retrieve a new access token using the refresh token
    testingClock = Clock.offset(testingClock, Duration.ofMinutes(31L));
    this.oAuth2TokenCustomizerService.setClock(testingClock);
    final String refreshToken = tokenResponse.get("refresh_token").textValue();
    result = performRetrieveTokensByRefreshTokenAndExpectValid(clientRegistrationCreation, refreshToken).andReturn();
    // verify the subtokens have been updated
    savedSubtokens = this.apiSubTokenRepository.findAllByAccountIdGw2AccountIdsAndGw2ApiPermissionsBitSet(accountId, Set.of(this.gw2AccountId1st, this.gw2AccountId2nd), Gw2ApiPermission.toBitSet(Set.of(Gw2ApiPermission.ACCOUNT))).stream().map(ApiSubTokenEntity::gw2ApiSubtoken).collect(Collectors.toSet());
    assertEquals(2, savedSubtokens.size());
    assertTrue(savedSubtokens.contains(dummySubtokenA[0]));
    assertTrue(savedSubtokens.contains(dummySubtokenB[0]));
    // verify the validity status has been saved
    apiTokenEntities = this.apiTokenRepository.findAllByAccountIdAndGw2AccountIds(accountId, Set.of(this.gw2AccountId1st, this.gw2AccountId2nd));
    assertEquals(2, apiTokenEntities.size());
    assertTrue(apiTokenEntities.get(0).isValid());
    assertInstantEquals(testingClock.instant(), apiTokenEntities.get(0).lastValidCheckTime());
    assertTrue(apiTokenEntities.get(1).isValid());
    assertInstantEquals(testingClock.instant(), apiTokenEntities.get(1).lastValidCheckTime());
    // verify the new response
    tokenResponse = assertTokenResponse(result, () -> Map.of(this.gw2AccountId1st, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "First", "token", dummySubtokenA[0])), this.gw2AccountId2nd, new com.nimbusds.jose.shaded.json.JSONObject(Map.of("name", "Second", "token", dummySubtokenB[0]))));
    assertNotEquals(refreshToken, tokenResponse.get("refresh_token").textValue());
}
Also used : ApiTokenEntity(com.gw2auth.oauth2.server.repository.apitoken.ApiTokenEntity) JsonNode(com.fasterxml.jackson.databind.JsonNode) MvcResult(org.springframework.test.web.servlet.MvcResult) Clock(java.time.Clock) ClientRegistrationCreation(com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationCreation) ClientAuthorizationEntity(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationEntity) ClientRegistration(com.gw2auth.oauth2.server.service.client.registration.ClientRegistration) JSONObject(org.json.JSONObject) ApiSubTokenEntity(com.gw2auth.oauth2.server.repository.apisubtoken.ApiSubTokenEntity) ClientAuthorizationTokenEntity(com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationTokenEntity) ClientConsentEntity(com.gw2auth.oauth2.server.repository.client.consent.ClientConsentEntity)

Example 20 with ClientRegistration

use of com.gw2auth.oauth2.server.service.client.registration.ClientRegistration in project oauth2-server by gw2auth.

the class OAuth2ServerTest method consentSubmitWithLessScopesThanRequested.

@WithGw2AuthLogin
public void consentSubmitWithLessScopesThanRequested(MockHttpSession session) throws Exception {
    final long accountId = AuthenticationHelper.getUser(session).orElseThrow().getAccountId();
    final ClientRegistrationCreation clientRegistrationCreation = createClientRegistration();
    final ClientRegistration clientRegistration = clientRegistrationCreation.clientRegistration();
    // perform authorization request (which should redirect to the consent page)
    MvcResult result = performAuthorizeWithClient(session, clientRegistration, List.of(Gw2ApiPermission.ACCOUNT.oauth2(), Gw2ApiPermission.TRADINGPOST.oauth2())).andReturn();
    // read request information from redirected uri
    final Map<String, String> params = Utils.parseQuery(URI.create(result.getResponse().getRedirectedUrl()).getRawQuery()).filter(QueryParam::hasValue).collect(Collectors.toMap(QueryParam::name, QueryParam::value));
    assertTrue(params.containsKey(OAuth2ParameterNames.CLIENT_ID));
    assertTrue(params.containsKey(OAuth2ParameterNames.STATE));
    assertTrue(params.containsKey(OAuth2ParameterNames.SCOPE));
    // insert a dummy api token
    this.testHelper.createApiToken(accountId, this.gw2AccountId1st, "TokenA", Set.of(Gw2ApiPermission.ACCOUNT, Gw2ApiPermission.TRADINGPOST), "First");
    // lookup the consent info (containing the submit uri and parameters that should be submitted)
    result = this.mockMvc.perform(get("/api/oauth2/consent").session(session).queryParam(OAuth2ParameterNames.CLIENT_ID, params.get(OAuth2ParameterNames.CLIENT_ID)).queryParam(OAuth2ParameterNames.STATE, params.get(OAuth2ParameterNames.STATE)).queryParam(OAuth2ParameterNames.SCOPE, params.get(OAuth2ParameterNames.SCOPE))).andReturn();
    // read the consent info and build the submit request
    final ObjectMapper mapper = new ObjectMapper();
    final JsonNode consentInfo = mapper.readTree(result.getResponse().getContentAsString());
    final String submitUri = consentInfo.get("submitFormUri").textValue();
    MockHttpServletRequestBuilder builder = post(submitUri).contentType(MediaType.APPLICATION_FORM_URLENCODED).session(session).with(csrf());
    for (Map.Entry<String, JsonNode> entry : (Iterable<? extends Map.Entry<String, JsonNode>>) () -> consentInfo.get("submitFormParameters").fields()) {
        final String name = entry.getKey();
        final JsonNode values = entry.getValue();
        for (int i = 0; i < values.size(); i++) {
            final String value = values.get(i).textValue();
            // exclude the tradingpost scope
            if (!name.equals(OAuth2ParameterNames.SCOPE) || !value.equals(Gw2ApiPermission.TRADINGPOST.oauth2())) {
                builder = builder.param(name, value);
            }
        }
    }
    final JsonNode apiTokensWithSufficientPermissions = consentInfo.get("apiTokensWithSufficientPermissions");
    assertEquals(1, apiTokensWithSufficientPermissions.size());
    assertEquals(0, consentInfo.get("apiTokensWithInsufficientPermissions").size());
    for (int i = 0; i < apiTokensWithSufficientPermissions.size(); i++) {
        builder = builder.param("token:" + apiTokensWithSufficientPermissions.get(i).get("gw2AccountId").textValue(), "");
    }
    // submit the consent
    this.mockMvc.perform(builder).andExpect(status().isBadRequest());
    // authorization should not be saved
    final ClientConsentEntity clientAuthorization = this.clientConsentRepository.findByAccountIdAndClientRegistrationId(accountId, clientRegistration.id()).orElse(null);
    // null is ok too
    if (clientAuthorization != null) {
        assertTrue(clientAuthorization.authorizedScopes().isEmpty());
    }
}
Also used : MockHttpServletRequestBuilder(org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder) JsonNode(com.fasterxml.jackson.databind.JsonNode) MvcResult(org.springframework.test.web.servlet.MvcResult) ClientRegistrationCreation(com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationCreation) ClientRegistration(com.gw2auth.oauth2.server.service.client.registration.ClientRegistration) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) ClientConsentEntity(com.gw2auth.oauth2.server.repository.client.consent.ClientConsentEntity)

Aggregations

ClientRegistration (com.gw2auth.oauth2.server.service.client.registration.ClientRegistration)18 JsonNode (com.fasterxml.jackson.databind.JsonNode)14 ClientConsentEntity (com.gw2auth.oauth2.server.repository.client.consent.ClientConsentEntity)14 ClientRegistrationCreation (com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationCreation)12 MvcResult (org.springframework.test.web.servlet.MvcResult)12 ClientAuthorizationEntity (com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationEntity)11 Clock (java.time.Clock)11 JSONObject (org.json.JSONObject)11 ClientAuthorizationTokenEntity (com.gw2auth.oauth2.server.repository.client.authorization.ClientAuthorizationTokenEntity)7 ApiTokenEntity (com.gw2auth.oauth2.server.repository.apitoken.ApiTokenEntity)6 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)4 ClientRegistrationEntity (com.gw2auth.oauth2.server.repository.client.registration.ClientRegistrationEntity)4 UriComponents (org.springframework.web.util.UriComponents)4 ApiSubTokenEntity (com.gw2auth.oauth2.server.repository.apisubtoken.ApiSubTokenEntity)3 Gw2ApiPermission (com.gw2auth.oauth2.server.service.Gw2ApiPermission)3 ClientRegistrationService (com.gw2auth.oauth2.server.service.client.registration.ClientRegistrationService)3 Collectors (java.util.stream.Collectors)3 Autowired (org.springframework.beans.factory.annotation.Autowired)3 MediaType (org.springframework.http.MediaType)3 ApiToken (com.gw2auth.oauth2.server.service.apitoken.ApiToken)2