Search in sources :

Example 26 with Approval

use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.

the class DeprecatedUaaTokenServicesTests method testReadAccessToken_When_Given_Refresh_token_should_throw_exception.

@Test
public void testReadAccessToken_When_Given_Refresh_token_should_throw_exception() {
    tokenServices.setExcludedClaims(new HashSet<>(Arrays.asList(ClaimConstants.EMAIL, ClaimConstants.USER_NAME)));
    AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
    authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
    Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
    azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE);
    authorizationRequest.setRequestParameters(azParameters);
    Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
    Calendar expiresAt1 = Calendar.getInstance();
    expiresAt1.add(Calendar.MILLISECOND, 3000);
    Calendar updatedAt1 = Calendar.getInstance();
    updatedAt1.add(Calendar.MILLISECOND, -1000);
    tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.readScope.get(0)).setExpiresAt(expiresAt1.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt1.getTime()), IdentityZoneHolder.get().getId());
    tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.writeScope.get(0)).setExpiresAt(expiresAt1.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt1.getTime()), IdentityZoneHolder.get().getId());
    Approval approval = new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(OPENID).setExpiresAt(expiresAt1.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt1.getTime());
    tokenSupport.approvalStore.addApproval(approval, IdentityZoneHolder.get().getId());
    OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
    OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication);
    expectedException.expectMessage("The token does not bear a \"scope\" claim.");
    tokenServices.readAccessToken(accessToken.getRefreshToken().getValue());
}
Also used : AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) DefaultOAuth2AccessToken(org.springframework.security.oauth2.common.DefaultOAuth2AccessToken) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) IsEmptyString.isEmptyString(org.hamcrest.text.IsEmptyString.isEmptyString) Approval(org.cloudfoundry.identity.uaa.approval.Approval)

Example 27 with Approval

use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.

the class UserManagedAuthzApprovalHandlerTests method allRequestedScopesMatchApproval.

@Test
void allRequestedScopesMatchApproval() {
    AuthorizationRequest request = new AuthorizationRequest("foo", new HashSet<>(Arrays.asList("openid", "cloud_controller.read", "cloud_controller.write")));
    request.setApproved(false);
    approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("openid").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
    approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.read").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
    approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.write").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
    // The request is approved because the user has approved all the scopes
    // requested
    assertTrue(handler.isApproved(request, mockAuthentication));
    assertEquals(new HashSet<>(Arrays.asList("openid", "cloud_controller.read", "cloud_controller.write")), request.getScope());
}
Also used : AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) Approval(org.cloudfoundry.identity.uaa.approval.Approval) Test(org.junit.jupiter.api.Test)

Example 28 with Approval

use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.

the class UserManagedAuthzApprovalHandlerTests method onlySomeRequestedScopeMatchesDeniedApprovalButScopeAutoApproved.

@Test
void onlySomeRequestedScopeMatchesDeniedApprovalButScopeAutoApproved() {
    AuthorizationRequest request = new AuthorizationRequest("foo", new HashSet<>(Arrays.asList("openid", "cloud_controller.read")));
    request.setApproved(false);
    when(mockBaseClientDetails.getScope()).thenReturn(new HashSet<>(Arrays.asList("cloud_controller.read", "cloud_controller.write", "openid")));
    when(mockBaseClientDetails.getAutoApproveScopes()).thenReturn(singleton("true"));
    approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.read").setExpiresAt(nextWeek).setStatus(DENIED), currentIdentityZoneId);
    approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("openid").setExpiresAt(nextWeek).setStatus(DENIED), currentIdentityZoneId);
    assertTrue(handler.isApproved(request, mockAuthentication));
    assertEquals(new HashSet<>(Arrays.asList("cloud_controller.read", "openid")), request.getScope());
}
Also used : AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) Approval(org.cloudfoundry.identity.uaa.approval.Approval) Test(org.junit.jupiter.api.Test)

Example 29 with Approval

use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.

the class DeprecatedUaaTokenServicesTests method testRefreshTokenExpiry.

@Test
public void testRefreshTokenExpiry() {
    Calendar expiresAt = Calendar.getInstance();
    expiresAt.add(Calendar.MILLISECOND, 3000);
    tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.readScope.get(0)).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED), IdentityZoneHolder.get().getId());
    tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.writeScope.get(0)).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED), IdentityZoneHolder.get().getId());
    BaseClientDetails clientDetails = cloneClient(tokenSupport.defaultClient);
    // Back date the refresh token. Crude way to do this but i'm not sure of
    // another
    clientDetails.setRefreshTokenValiditySeconds(-36000);
    tokenSupport.clientDetailsService.setClientDetailsStore(IdentityZoneHolder.get().getId(), Collections.singletonMap(CLIENT_ID, clientDetails));
    AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
    authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
    Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
    azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE);
    authorizationRequest.setRequestParameters(azParameters);
    Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
    OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
    OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication);
    AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
    refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
    Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters());
    refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN);
    refreshAuthorizationRequest.setRequestParameters(refreshAzParameters);
    try {
        tokenServices.refreshAccessToken(accessToken.getRefreshToken().getValue(), tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"));
        fail("Expected Exception was not thrown");
    } catch (InvalidTokenException e) {
        assertThat(e.getMessage(), not(containsString(accessToken.getRefreshToken().getValue())));
    }
}
Also used : BaseClientDetails(org.springframework.security.oauth2.provider.client.BaseClientDetails) InvalidTokenException(org.springframework.security.oauth2.common.exceptions.InvalidTokenException) AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) DefaultOAuth2AccessToken(org.springframework.security.oauth2.common.DefaultOAuth2AccessToken) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) IsEmptyString.isEmptyString(org.hamcrest.text.IsEmptyString.isEmptyString) Approval(org.cloudfoundry.identity.uaa.approval.Approval)

Example 30 with Approval

use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.

the class DeprecatedUaaTokenServicesTests method testCreateAccessTokenRefreshGrantNoScopesAutoApprovedIncompleteApprovals.

@Test(expected = InvalidTokenException.class)
public void testCreateAccessTokenRefreshGrantNoScopesAutoApprovedIncompleteApprovals() {
    BaseClientDetails clientDetails = cloneClient(tokenSupport.defaultClient);
    clientDetails.setAutoApproveScopes(emptyList());
    tokenSupport.clientDetailsService.setClientDetailsStore(IdentityZoneHolder.get().getId(), Collections.singletonMap(CLIENT_ID, clientDetails));
    Calendar expiresAt = Calendar.getInstance();
    expiresAt.add(Calendar.MILLISECOND, 3000);
    Calendar updatedAt = Calendar.getInstance();
    updatedAt.add(Calendar.MILLISECOND, -1000);
    tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.writeScope.get(0)).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt.getTime()), IdentityZoneHolder.get().getId());
    AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
    authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
    Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
    azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE);
    authorizationRequest.setRequestParameters(azParameters);
    Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
    OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
    OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication);
    this.assertCommonUserAccessTokenProperties(accessToken, CLIENT_ID);
    assertThat(accessToken, issuerUri(is(ISSUER_URI)));
    assertThat(accessToken, scope(is(tokenSupport.requestedAuthScopes)));
    assertThat(accessToken, validFor(is(60 * 60 * 12)));
    OAuth2RefreshToken refreshToken = accessToken.getRefreshToken();
    this.assertCommonUserRefreshTokenProperties(refreshToken);
    assertThat(refreshToken, OAuth2RefreshTokenMatchers.issuerUri(is(ISSUER_URI)));
    assertThat(refreshToken, OAuth2RefreshTokenMatchers.validFor(is(60 * 60 * 24 * 30)));
    this.assertCommonEventProperties(accessToken, tokenSupport.userId, buildJsonString(tokenSupport.requestedAuthScopes));
    AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
    refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
    Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters());
    refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN);
    refreshAuthorizationRequest.setRequestParameters(refreshAzParameters);
    tokenServices.refreshAccessToken(accessToken.getRefreshToken().getValue(), tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"));
}
Also used : BaseClientDetails(org.springframework.security.oauth2.provider.client.BaseClientDetails) AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) OAuth2RefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken) CompositeExpiringOAuth2RefreshToken(org.cloudfoundry.identity.uaa.oauth.refresh.CompositeExpiringOAuth2RefreshToken) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) DefaultOAuth2AccessToken(org.springframework.security.oauth2.common.DefaultOAuth2AccessToken) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) IsEmptyString.isEmptyString(org.hamcrest.text.IsEmptyString.isEmptyString) Approval(org.cloudfoundry.identity.uaa.approval.Approval)

Aggregations

Approval (org.cloudfoundry.identity.uaa.approval.Approval)80 Test (org.junit.jupiter.api.Test)34 AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)29 Date (java.util.Date)26 OAuth2AccessToken (org.springframework.security.oauth2.common.OAuth2AccessToken)21 DefaultOAuth2AccessToken (org.springframework.security.oauth2.common.DefaultOAuth2AccessToken)19 BaseClientDetails (org.springframework.security.oauth2.provider.client.BaseClientDetails)18 Authentication (org.springframework.security.core.Authentication)17 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)17 IsEmptyString.isEmptyString (org.hamcrest.text.IsEmptyString.isEmptyString)16 Test (org.junit.Test)16 ApprovalStore (org.cloudfoundry.identity.uaa.approval.ApprovalStore)7 MockHttpServletRequestBuilder (org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder)6 ClientDetailsModification (org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification)5 ScimUser (org.cloudfoundry.identity.uaa.scim.ScimUser)5 ClientDetails (org.springframework.security.oauth2.provider.ClientDetails)5 ArrayList (java.util.ArrayList)4 ClientDetailsHelper.arrayFromString (org.cloudfoundry.identity.uaa.mock.util.ClientDetailsHelper.arrayFromString)4 ClientDetailsHelper.clientArrayFromString (org.cloudfoundry.identity.uaa.mock.util.ClientDetailsHelper.clientArrayFromString)4 ClientDetailsHelper.clientFromString (org.cloudfoundry.identity.uaa.mock.util.ClientDetailsHelper.clientFromString)4