use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class JwtProviderTest method testInvalidSignatureOk.
@Test
@DisplayName("RSA Invalid Signature: verify-signature = false")
public void testInvalidSignatureOk() {
String username = "user1";
String userId = "user1-id";
String email = "user1@example.org";
String familyName = "Novak";
String givenName = "Standa";
String fullName = "Standa Novak";
Locale locale = Locale.CANADA_FRENCH;
Principal principal = Principal.builder().name(username).id(userId).addAttribute("email", email).addAttribute("email_verified", true).addAttribute("family_name", familyName).addAttribute("given_name", givenName).addAttribute("full_name", fullName).addAttribute("locale", locale).build();
Subject subject = Subject.create(principal);
JwtProvider provider = JwtProvider.create(providersConfig.get("jwt-no-verification"));
SecurityContext context = Mockito.mock(SecurityContext.class);
when(context.user()).thenReturn(Optional.of(subject));
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/rsa").transport("http").targetUri(URI.create("http://localhost:8080/rsa")).build();
EndpointConfig outboundEp = EndpointConfig.create();
assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
String signedToken = response.requestHeaders().get("Authorization").get(0);
signedToken = signedToken.substring("bearer ".length());
// the token is headers.body.signature
int lastDot = signedToken.lastIndexOf('.') + 1;
signedToken = signedToken.substring(0, lastDot) + Base64.getEncoder().encodeToString("invalidSignature".getBytes());
SignedJwt signedJwt = SignedJwt.parseToken(signedToken);
assertThat("Should not be valid signature (wrong length)", signedJwt.verifySignature(verifyKeys).isValid(), is(false));
// now we need to use the same token to invoke authentication
ProviderRequest atnRequest = mock(ProviderRequest.class);
SecurityEnvironment se = SecurityEnvironment.builder().header("Authorization", "bearer " + signedToken).build();
when(atnRequest.env()).thenReturn(se);
AuthenticationResponse authenticationResponse = provider.syncAuthenticate(atnRequest);
authenticationResponse.user().map(Subject::principal).ifPresentOrElse(atnPrincipal -> {
assertThat(atnPrincipal.id(), is(userId));
assertThat(atnPrincipal.getName(), is(username));
assertThat(atnPrincipal.abacAttribute("email"), is(Optional.of(email)));
assertThat(atnPrincipal.abacAttribute("email_verified"), is(Optional.of(true)));
assertThat(atnPrincipal.abacAttribute("family_name"), is(Optional.of(familyName)));
assertThat(atnPrincipal.abacAttribute("given_name"), is(Optional.of(givenName)));
assertThat(atnPrincipal.abacAttribute("full_name"), is(Optional.of(fullName)));
assertThat(atnPrincipal.abacAttribute("locale"), is(Optional.of(locale)));
}, () -> fail("User must be present in response"));
}
use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class HttpAuthProviderBuilderTest method basicTestOptional.
@Test
public void basicTestOptional() {
AuthenticationResponse response = context.atnClientBuilder().explicitProvider("basic_optional").buildAndGet();
assertThat(response.status().isSuccess(), is(false));
assertThat(response.status().name(), is(SecurityResponse.SecurityStatus.ABSTAIN.name()));
assertThat(response.statusCode().orElse(200), is(200));
assertThat(response.description().orElse(""), is("No authorization header"));
setHeader(context, HttpBasicAuthProvider.HEADER_AUTHENTICATION, buildBasic("jack", "invalid_passworrd"));
System.out.println("test");
response = context.atnClientBuilder().explicitProvider("basic_optional").buildAndGet();
assertThat(response.status().isSuccess(), is(false));
assertThat(response.status().name(), is(SecurityResponse.SecurityStatus.ABSTAIN.name()));
assertThat(response.statusCode().orElse(200), is(200));
assertThat(response.description().orElse(""), is("Invalid username or password"));
}
use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class HttpAuthProviderBuilderTest method digestTestJill.
@Test
public void digestTestJill() {
setHeader(context, HttpBasicAuthProvider.HEADER_AUTHENTICATION, buildDigest(HttpDigest.Qop.AUTH, "jill", "password"));
AuthenticationResponse response = context.atnClientBuilder().explicitProvider("digest").buildAndGet();
assertThat(response.description().orElse("No description"), response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
assertThat(response.statusCode().orElse(200), is(200));
assertThat(getUsername(context), is("jill"));
assertThat(context.isUserInRole("admin"), is(false));
assertThat(context.isUserInRole("user"), is(true));
}
use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class HttpAuthProviderBuilderTest method digestTestJack.
@Test
public void digestTestJack() {
setHeader(context, HttpBasicAuthProvider.HEADER_AUTHENTICATION, buildDigest(HttpDigest.Qop.AUTH, "jack", "jackIsGreat"));
AuthenticationResponse response = context.atnClientBuilder().explicitProvider("digest").buildAndGet();
assertThat(response.description().orElse("No description"), response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
assertThat(response.statusCode().orElse(200), is(200));
assertThat(getUsername(context), is("jack"));
assertThat(context.isUserInRole("admin"), is(true));
assertThat(context.isUserInRole("user"), is(true));
}
use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class HttpAuthProviderBuilderTest method digestTestWrongRealm.
@Test
public void digestTestWrongRealm() {
setHeader(context, HttpBasicAuthProvider.HEADER_AUTHENTICATION, buildDigest(HttpDigest.Qop.AUTH, "jack", "jackIsGreat", HttpDigestAuthProvider.nonce(System.currentTimeMillis(), random, "pwd".toCharArray()), "wrongRealm"));
AuthenticationResponse response = context.atnClientBuilder().explicitProvider("digest").buildAndGet();
assertThat(response.description().orElse(""), is("Invalid realm"));
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.statusCode().orElse(200), is(401));
}
Aggregations