Examples with PostEnvironment net.openid.conformance.condition.PostEnvironment used on opensource projects

Example 36 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class CreateRandomRegistrationClientUri method evaluate.

@Override
@PreEnvironment(strings = "base_url")
@PostEnvironment(required = "registration_client_uri")
public Environment evaluate(Environment env) {
    String baseUrl = env.getString("base_url");
    if (baseUrl.isEmpty()) {
        throw error("Base URL is empty");
    }
    baseUrl = baseUrl.replaceFirst(TestDispatcher.TEST_PATH, TestDispatcher.TEST_MTLS_PATH);
    // see https://gitlab.com/openid/conformance-suite/wikis/Developers/Build-&-Run#ciba-notification-endpoint
    String externalUrlOverride = env.getString("external_url_override");
    if (!Strings.isNullOrEmpty(externalUrlOverride)) {
        baseUrl = externalUrlOverride;
    }
    // https://datatracker.ietf.org/doc/html/rfc7592#appendix-B specifies no particular
    // form for this uri - we use a random one (rather than one, say, containing the client_id) to
    // ensure the client does not try to construct the url itself.
    String path = "clienturi/" + RandomStringUtils.randomAlphanumeric(64);
    JsonObject o = new JsonObject();
    o.addProperty("path", path);
    String fullUrl = baseUrl + "/" + path;
    o.addProperty("fullUrl", fullUrl);
    env.putObject("registration_client_uri", o);
    log("Created random URL for registration_client_uri", o);
    return env;
}

Example 37 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class ValidateRequestObjectSignature method evaluate.

@Override
@PreEnvironment(required = { "authorization_request_object", "client_public_jwks", "client" })
@PostEnvironment(strings = "request_object_signing_alg")
public Environment evaluate(Environment env) {
    String requestObject = env.getString("authorization_request_object", "value");
    JsonObject clientJwks = env.getObject("client_public_jwks");
    try {
        SignedJWT jwt = SignedJWT.parse(requestObject);
        JWKSet jwkSet = JWKSet.parse(clientJwks.toString());
        JsonObject client = env.getObject("client");
        if (client.has("request_object_signing_alg")) {
            // https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
            // request_object_signing_alg
            // All Request Objects from this Client MUST be rejected, if not signed with this algorithm.
            // The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used
            String expectedAlg = OIDFJSON.getString(client.get("request_object_signing_alg"));
            JWSAlgorithm jwsAlgorithm = jwt.getHeader().getAlgorithm();
            if (!jwsAlgorithm.getName().equals(expectedAlg)) {
                throw error("Algorithm in JWT header does not match client request_object_signing_alg.", args("actual", jwsAlgorithm.getName(), "expected", expectedAlg));
            }
        }
        SecurityContext context = new SimpleSecurityContext();
        JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(jwkSet);
        JWSKeySelector<SecurityContext> selector = new JWSVerificationKeySelector<>(jwt.getHeader().getAlgorithm(), jwkSource);
        // TODO signature verification should be changed to use kids
        List<? extends Key> keys = selector.selectJWSKeys(jwt.getHeader(), context);
        if (keys == null || keys.isEmpty()) {
            throw error("Could not find any keys that can be used to verify this signature", args("requestObject", requestObject, "clientJwks", clientJwks));
        }
        for (Key key : keys) {
            JWSVerifierFactory factory = new DefaultJWSVerifierFactory();
            JWSVerifier verifier = factory.createJWSVerifier(jwt.getHeader(), key);
            if (jwt.verify(verifier)) {
                String alg = jwt.getHeader().getAlgorithm().getName();
                env.putString("request_object_signing_alg", alg);
                logSuccess("Request object signature validated using a key in the client's JWKS " + "and using the client's registered request_object_signing_alg", args("request_object_signing_alg", alg, "jwk", key.toString(), "request_object", requestObject));
                return env;
            } else {
                // failed to verify with this key, moving on
                // not a failure yet as it might pass a different key
                log("Failed to verify signature using key", args("key", key.toString(), "requestObject", requestObject));
            }
        }
        // if we got here, it hasn't been verified by any key
        throw error("Unable to verify request object signature based on client keys", args("jwt_header", jwt.getHeader().toString(), "keys", new GsonBuilder().setPrettyPrinting().create().toJson(keys), "clientJwks", clientJwks, "requestObject", requestObject));
    } catch (JOSEException | ParseException e) {
        throw error("error validating request object signature", e);
    }
}

Example 38 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class AddJtiToRequestObject method evaluate.

@Override
@PreEnvironment(required = { "request_object_claims" })
@PostEnvironment(required = { "request_object_claims" })
public Environment evaluate(Environment env) {
    JsonObject requestObjectClaims = env.getObject("request_object_claims");
    // RFC 7519 doesn't contain any restrictions on jti other than it "is a case-sensitive string",
    // so this is a very conservative choice of value
    final String jti = RandomStringUtils.randomAlphanumeric(20);
    requestObjectClaims.addProperty("jti", jti);
    env.putObject("request_object_claims", requestObjectClaims);
    logSuccess("Added jti to request object claims", args("jti", jti));
    return env;
}

Example 39 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class AddJwksUriToDynamicRegistrationRequest method evaluate.

@Override
@PreEnvironment(required = "dynamic_registration_request", strings = "jwks_uri")
@PostEnvironment(required = "dynamic_registration_request")
public Environment evaluate(Environment env) {
    JsonObject dynamicRegistrationRequest = env.getObject("dynamic_registration_request");
    String jwksUri = env.getString("jwks_uri");
    dynamicRegistrationRequest.addProperty("jwks_uri", jwksUri);
    env.putObject("dynamic_registration_request", dynamicRegistrationRequest);
    log("Added jwks_uri to dynamic registration request", args("dynamic_registration_request", dynamicRegistrationRequest));
    return env;
}

Example 40 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class AddLoginHintFromConfigurationToAuthorizationEndpointRequest method evaluate.

@Override
@PreEnvironment(required = { "authorization_endpoint_request", "config" })
@PostEnvironment(required = "authorization_endpoint_request")
public Environment evaluate(Environment env) {
    JsonObject authorizationEndpointRequest = env.getObject("authorization_endpoint_request");
    String loginHint = env.getString("config", "server.login_hint");
    String msg;
    if (Strings.isNullOrEmpty(loginHint)) {
        String issuer = env.getString("server", "issuer");
        try {
            @SuppressWarnings("unused") URI issuerUri = new URI(issuer);
            loginHint = "buffy@" + issuerUri.getHost();
        } catch (URISyntaxException e) {
            throw error("Couldn't parse issuer as URL", e, args("issuer", issuer));
        }
        msg = "No login_hint in test configuration, created one based on issuer and added login_hint to authorization endpoint request";
    } else {
        msg = "Added login_hint from test configuration to authorization endpoint request";
    }
    authorizationEndpointRequest.addProperty("login_hint", loginHint);
    env.putObject("authorization_endpoint_request", authorizationEndpointRequest);
    logSuccess(msg, authorizationEndpointRequest);
    return env;
}