use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class DeprecatedUaaTokenServicesTests method testReadAccessToken_When_Given_Refresh_token_should_throw_exception.
@Test
public void testReadAccessToken_When_Given_Refresh_token_should_throw_exception() {
tokenServices.setExcludedClaims(new HashSet<>(Arrays.asList(ClaimConstants.EMAIL, ClaimConstants.USER_NAME)));
AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE);
authorizationRequest.setRequestParameters(azParameters);
Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
Calendar expiresAt1 = Calendar.getInstance();
expiresAt1.add(Calendar.MILLISECOND, 3000);
Calendar updatedAt1 = Calendar.getInstance();
updatedAt1.add(Calendar.MILLISECOND, -1000);
tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.readScope.get(0)).setExpiresAt(expiresAt1.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt1.getTime()), IdentityZoneHolder.get().getId());
tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.writeScope.get(0)).setExpiresAt(expiresAt1.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt1.getTime()), IdentityZoneHolder.get().getId());
Approval approval = new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(OPENID).setExpiresAt(expiresAt1.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt1.getTime());
tokenSupport.approvalStore.addApproval(approval, IdentityZoneHolder.get().getId());
OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication);
expectedException.expectMessage("The token does not bear a \"scope\" claim.");
tokenServices.readAccessToken(accessToken.getRefreshToken().getValue());
}
use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class UserManagedAuthzApprovalHandlerTests method allRequestedScopesMatchApproval.
@Test
void allRequestedScopesMatchApproval() {
AuthorizationRequest request = new AuthorizationRequest("foo", new HashSet<>(Arrays.asList("openid", "cloud_controller.read", "cloud_controller.write")));
request.setApproved(false);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("openid").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.read").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.write").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
// The request is approved because the user has approved all the scopes
// requested
assertTrue(handler.isApproved(request, mockAuthentication));
assertEquals(new HashSet<>(Arrays.asList("openid", "cloud_controller.read", "cloud_controller.write")), request.getScope());
}
use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class UserManagedAuthzApprovalHandlerTests method onlySomeRequestedScopeMatchesDeniedApprovalButScopeAutoApproved.
@Test
void onlySomeRequestedScopeMatchesDeniedApprovalButScopeAutoApproved() {
AuthorizationRequest request = new AuthorizationRequest("foo", new HashSet<>(Arrays.asList("openid", "cloud_controller.read")));
request.setApproved(false);
when(mockBaseClientDetails.getScope()).thenReturn(new HashSet<>(Arrays.asList("cloud_controller.read", "cloud_controller.write", "openid")));
when(mockBaseClientDetails.getAutoApproveScopes()).thenReturn(singleton("true"));
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.read").setExpiresAt(nextWeek).setStatus(DENIED), currentIdentityZoneId);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("openid").setExpiresAt(nextWeek).setStatus(DENIED), currentIdentityZoneId);
assertTrue(handler.isApproved(request, mockAuthentication));
assertEquals(new HashSet<>(Arrays.asList("cloud_controller.read", "openid")), request.getScope());
}
use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class DeprecatedUaaTokenServicesTests method testRefreshTokenExpiry.
@Test
public void testRefreshTokenExpiry() {
Calendar expiresAt = Calendar.getInstance();
expiresAt.add(Calendar.MILLISECOND, 3000);
tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.readScope.get(0)).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED), IdentityZoneHolder.get().getId());
tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.writeScope.get(0)).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED), IdentityZoneHolder.get().getId());
BaseClientDetails clientDetails = cloneClient(tokenSupport.defaultClient);
// Back date the refresh token. Crude way to do this but i'm not sure of
// another
clientDetails.setRefreshTokenValiditySeconds(-36000);
tokenSupport.clientDetailsService.setClientDetailsStore(IdentityZoneHolder.get().getId(), Collections.singletonMap(CLIENT_ID, clientDetails));
AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE);
authorizationRequest.setRequestParameters(azParameters);
Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication);
AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters());
refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN);
refreshAuthorizationRequest.setRequestParameters(refreshAzParameters);
try {
tokenServices.refreshAccessToken(accessToken.getRefreshToken().getValue(), tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"));
fail("Expected Exception was not thrown");
} catch (InvalidTokenException e) {
assertThat(e.getMessage(), not(containsString(accessToken.getRefreshToken().getValue())));
}
}
use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class DeprecatedUaaTokenServicesTests method testCreateAccessTokenRefreshGrantNoScopesAutoApprovedIncompleteApprovals.
@Test(expected = InvalidTokenException.class)
public void testCreateAccessTokenRefreshGrantNoScopesAutoApprovedIncompleteApprovals() {
BaseClientDetails clientDetails = cloneClient(tokenSupport.defaultClient);
clientDetails.setAutoApproveScopes(emptyList());
tokenSupport.clientDetailsService.setClientDetailsStore(IdentityZoneHolder.get().getId(), Collections.singletonMap(CLIENT_ID, clientDetails));
Calendar expiresAt = Calendar.getInstance();
expiresAt.add(Calendar.MILLISECOND, 3000);
Calendar updatedAt = Calendar.getInstance();
updatedAt.add(Calendar.MILLISECOND, -1000);
tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.writeScope.get(0)).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt.getTime()), IdentityZoneHolder.get().getId());
AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE);
authorizationRequest.setRequestParameters(azParameters);
Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication);
this.assertCommonUserAccessTokenProperties(accessToken, CLIENT_ID);
assertThat(accessToken, issuerUri(is(ISSUER_URI)));
assertThat(accessToken, scope(is(tokenSupport.requestedAuthScopes)));
assertThat(accessToken, validFor(is(60 * 60 * 12)));
OAuth2RefreshToken refreshToken = accessToken.getRefreshToken();
this.assertCommonUserRefreshTokenProperties(refreshToken);
assertThat(refreshToken, OAuth2RefreshTokenMatchers.issuerUri(is(ISSUER_URI)));
assertThat(refreshToken, OAuth2RefreshTokenMatchers.validFor(is(60 * 60 * 24 * 30)));
this.assertCommonEventProperties(accessToken, tokenSupport.userId, buildJsonString(tokenSupport.requestedAuthScopes));
AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters());
refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN);
refreshAuthorizationRequest.setRequestParameters(refreshAzParameters);
tokenServices.refreshAccessToken(accessToken.getRefreshToken().getValue(), tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"));
}
Aggregations