use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class CheckTokenEndpointTests method setUp.
public void setUp(boolean opaque) throws Exception {
zone = MultitenancyFixture.identityZone("id", "subdomain");
defaultZone = IdentityZone.getUaa();
mockIdentityZoneManager = mock(IdentityZoneManager.class);
when(mockIdentityZoneManager.getCurrentIdentityZoneId()).thenReturn(IdentityZone.getUaaZoneId());
when(mockIdentityZoneManager.getCurrentIdentityZone()).thenReturn(defaultZone);
clientDetailsService = new InMemoryMultitenantClientServices(mockIdentityZoneManager);
TestUtils.resetIdentityZoneHolder(null);
nowMillis = 10000L;
timeService = mock(TimeService.class);
when(timeService.getCurrentTimeMillis()).thenReturn(nowMillis);
when(timeService.getCurrentDate()).thenCallRealMethod();
userAuthorities = new ArrayList<>();
userAuthorities.add(new SimpleGrantedAuthority("read"));
userAuthorities.add(new SimpleGrantedAuthority("write"));
userAuthorities.add(new SimpleGrantedAuthority("zones.myzone.admin"));
userAuthorities.addAll(UaaAuthority.USER_AUTHORITIES);
user = new UaaUser(userId, userName, "password", userEmail, userAuthorities, "GivenName", "FamilyName", new Date(nowMillis - 2000), new Date(nowMillis - 2000), OriginKeys.UAA, "externalId", false, IdentityZoneHolder.get().getId(), "salt", new Date(nowMillis - 2000));
authorizationRequest = new AuthorizationRequest("client", Collections.singleton("read"));
authorizationRequest.setResourceIds(new HashSet<>(Arrays.asList("client", "scim")));
Map<String, String> requestParameters = new HashMap<>();
tokenProvisioning = mock(RevocableTokenProvisioning.class);
if (opaque) {
tokenMap = new HashMap<>();
when(tokenProvisioning.create(any(), anyString())).thenAnswer(invocation -> {
RevocableToken token = (RevocableToken) invocation.getArguments()[0];
tokenMap.put(token.getTokenId(), token);
return token;
});
when(tokenProvisioning.retrieve(anyString(), anyString())).thenAnswer(invocation -> {
String id = (String) invocation.getArguments()[0];
return tokenMap.get(id);
});
requestParameters.put(TokenConstants.REQUEST_TOKEN_FORMAT, OPAQUE.getStringValue());
}
authorizationRequest.setRequestParameters(requestParameters);
authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), UaaAuthenticationTestFactory.getAuthentication(userId, userName, "olds@vmware.com"));
configureDefaultZoneKeys(Collections.singletonMap("testKey", signerKey));
IdentityZoneHolder.set(defaultZone);
when(zoneProvisioning.retrieve(IdentityZone.getUaaZoneId())).thenReturn(defaultZone);
Date oneSecondAgo = new Date(nowMillis - 1000);
Date thirtySecondsAhead = new Date(nowMillis + 30000);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("client").setScope("read").setExpiresAt(thirtySecondsAhead).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(oneSecondAgo), IdentityZoneHolder.get().getId());
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("client").setScope("write").setExpiresAt(thirtySecondsAhead).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(oneSecondAgo), IdentityZoneHolder.get().getId());
defaultClient = new BaseClientDetails("client", "scim, cc", "read, write", "authorization_code, password", "scim.read, scim.write, cat.pet", "http://localhost:8080/uaa");
clientDetailsStore = Collections.singletonMap("client", defaultClient);
clientDetailsService.setClientDetailsStore(zone.getId(), clientDetailsStore);
clientDetailsService.setClientDetailsStore(IdentityZoneHolder.get().getId(), clientDetailsStore);
tokenEndpointBuilder = new TokenEndpointBuilder("http://localhost:8080/uaa");
userDatabase = mock(UaaUserDatabase.class);
KeyInfoService keyInfoService = new KeyInfoService("http://localhost:8080/uaa");
tokenValidationService = new TokenValidationService(tokenProvisioning, tokenEndpointBuilder, userDatabase, clientDetailsService, keyInfoService);
ApprovalService approvalService = new ApprovalService(timeService, approvalStore);
tokenServices = new UaaTokenServices(mock(IdTokenCreator.class), tokenEndpointBuilder, clientDetailsService, tokenProvisioning, tokenValidationService, null, timeService, new TokenValidityResolver(new ClientAccessTokenValidity(clientDetailsService, mockIdentityZoneManager), Integer.MAX_VALUE, timeService), userDatabase, Sets.newHashSet(), IdentityZoneHolder.get().getConfig().getTokenPolicy(), keyInfoService, new IdTokenGranter(approvalService), approvalService);
resetAndMockUserDatabase(userId, user);
endpoint = new CheckTokenEndpoint(tokenServices, timeService);
}
use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class DeprecatedUaaTokenServicesTests method testCreateAccessTokenRefreshGrantSomeScopesAutoApproved.
@Test
public void testCreateAccessTokenRefreshGrantSomeScopesAutoApproved() {
BaseClientDetails clientDetails = cloneClient(tokenSupport.defaultClient);
clientDetails.setAutoApproveScopes(tokenSupport.readScope);
tokenSupport.clientDetailsService.setClientDetailsStore(IdentityZoneHolder.get().getId(), Collections.singletonMap(CLIENT_ID, clientDetails));
Calendar expiresAt = Calendar.getInstance();
expiresAt.add(Calendar.MILLISECOND, 3000);
Calendar updatedAt = Calendar.getInstance();
updatedAt.add(Calendar.MILLISECOND, -1000);
tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.writeScope.get(0)).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt.getTime()), IdentityZoneHolder.get().getId());
tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(OPENID).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED).setLastUpdatedAt(updatedAt.getTime()), IdentityZoneHolder.get().getId());
AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE);
authorizationRequest.setRequestParameters(azParameters);
Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication);
this.assertCommonUserAccessTokenProperties(accessToken, CLIENT_ID);
assertThat(accessToken, issuerUri(is(ISSUER_URI)));
assertThat(accessToken, scope(is(tokenSupport.requestedAuthScopes)));
assertThat(accessToken, validFor(is(60 * 60 * 12)));
OAuth2RefreshToken refreshToken = accessToken.getRefreshToken();
this.assertCommonUserRefreshTokenProperties(refreshToken);
assertThat(refreshToken, OAuth2RefreshTokenMatchers.issuerUri(is(ISSUER_URI)));
assertThat(refreshToken, OAuth2RefreshTokenMatchers.validFor(is(60 * 60 * 24 * 30)));
this.assertCommonEventProperties(accessToken, tokenSupport.userId, buildJsonString(tokenSupport.requestedAuthScopes));
AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters());
refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN);
refreshAuthorizationRequest.setRequestParameters(refreshAzParameters);
OAuth2AccessToken refreshedAccessToken = tokenServices.refreshAccessToken(accessToken.getRefreshToken().getValue(), tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"));
assertEquals(refreshedAccessToken.getRefreshToken().getValue(), accessToken.getRefreshToken().getValue());
this.assertCommonUserAccessTokenProperties(refreshedAccessToken, CLIENT_ID);
assertThat(refreshedAccessToken, issuerUri(is(ISSUER_URI)));
assertThat(refreshedAccessToken, validFor(is(60 * 60 * 12)));
assertThat(accessToken.getRefreshToken(), is(not(nullValue())));
}
use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class DeprecatedUaaTokenServicesTests method testRefreshTokenAfterApprovalsRevoked.
@Test(expected = InvalidTokenException.class)
public void testRefreshTokenAfterApprovalsRevoked() {
AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE);
authorizationRequest.setRequestParameters(azParameters);
Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication);
Calendar expiresAt = Calendar.getInstance();
expiresAt.add(Calendar.MILLISECOND, 3000);
tokenSupport.approvalStore.addApproval(new Approval().setUserId(tokenSupport.userId).setClientId(CLIENT_ID).setScope(tokenSupport.readScope.get(0)).setExpiresAt(expiresAt.getTime()).setStatus(ApprovalStatus.APPROVED), IdentityZoneHolder.get().getId());
for (Approval approval : tokenSupport.approvalStore.getApprovals(tokenSupport.userId, CLIENT_ID, IdentityZoneHolder.get().getId())) {
tokenSupport.approvalStore.revokeApproval(approval, IdentityZoneHolder.get().getId());
}
AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes);
refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters());
refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN);
refreshAuthorizationRequest.setRequestParameters(refreshAzParameters);
tokenServices.refreshAccessToken(accessToken.getRefreshToken().getValue(), tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"));
}
use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class UserManagedAuthzApprovalHandlerTests method requestedScopesMatchApprovalButSomeDenied.
@Test
void requestedScopesMatchApprovalButSomeDenied() {
AuthorizationRequest request = new AuthorizationRequest("foo", new HashSet<>(Arrays.asList("openid", "cloud_controller.read", "cloud_controller.write")));
request.setApproved(false);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("openid").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.read").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.write").setExpiresAt(nextWeek).setStatus(DENIED), currentIdentityZoneId);
// The request is approved because the user has acted on all requested
// scopes
assertTrue(handler.isApproved(request, mockAuthentication));
assertEquals(new HashSet<>(Arrays.asList("openid", "cloud_controller.read")), request.getScope());
}
use of org.cloudfoundry.identity.uaa.approval.Approval in project uaa by cloudfoundry.
the class UserManagedAuthzApprovalHandlerTests method requestedScopesDontMatchApprovalsAtAll.
@Test
void requestedScopesDontMatchApprovalsAtAll() {
AuthorizationRequest request = new AuthorizationRequest("foo", new HashSet<>(Collections.singletonList("openid")));
request.setApproved(false);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.read").setExpiresAt(nextWeek).setStatus(APPROVED), currentIdentityZoneId);
approvalStore.addApproval(new Approval().setUserId(userId).setClientId("foo").setScope("cloud_controller.write").setExpiresAt(nextWeek).setStatus(DENIED), currentIdentityZoneId);
// The request is not approved because the user has not yet approved the
// scopes requested
assertFalse(handler.isApproved(request, mockAuthentication));
}
Aggregations