Search in sources :

Example 6 with ApprovalStore

use of org.cloudfoundry.identity.uaa.approval.ApprovalStore in project uaa by cloudfoundry.

the class ScimUserEndpointsMockMvcTests method delete_user_clears_approvals.

@Test
void delete_user_clears_approvals() throws Exception {
    ApprovalStore store = webApplicationContext.getBean(ApprovalStore.class);
    JdbcTemplate template = webApplicationContext.getBean(JdbcTemplate.class);
    ScimUser user = setUpScimUser();
    Approval approval = new Approval();
    approval.setClientId("cf");
    approval.setUserId(user.getId());
    approval.setScope("openid");
    approval.setStatus(Approval.ApprovalStatus.APPROVED);
    store.addApproval(approval, IdentityZoneHolder.get().getId());
    assertEquals(1, (long) template.queryForObject("select count(*) from authz_approvals where user_id=?", Integer.class, user.getId()));
    mockMvc.perform((delete("/Users/" + user.getId())).header("Authorization", "Bearer " + uaaAdminToken).contentType(APPLICATION_JSON).content(JsonUtils.writeValueAsBytes(user))).andExpect(status().isOk()).andExpect(jsonPath("$.userName").value(user.getUserName())).andExpect(jsonPath("$.emails[0].value").value(user.getPrimaryEmail())).andExpect(jsonPath("$.name.givenName").value(user.getGivenName())).andExpect(jsonPath("$.name.familyName").value(user.getFamilyName()));
    assertEquals(0, (long) template.queryForObject("select count(*) from authz_approvals where user_id=?", Integer.class, user.getId()));
}
Also used : ScimUser(org.cloudfoundry.identity.uaa.scim.ScimUser) ApprovalStore(org.cloudfoundry.identity.uaa.approval.ApprovalStore) JdbcTemplate(org.springframework.jdbc.core.JdbcTemplate) Approval(org.cloudfoundry.identity.uaa.approval.Approval) Test(org.junit.jupiter.api.Test)

Example 7 with ApprovalStore

use of org.cloudfoundry.identity.uaa.approval.ApprovalStore in project uaa by cloudfoundry.

the class IdentityZoneEndpointsMockMvcTests method test_delete_zone_cleans_db.

@Test
void test_delete_zone_cleans_db() throws Exception {
    IdentityProviderProvisioning idpp = webApplicationContext.getBean(JdbcIdentityProviderProvisioning.class);
    ScimGroupProvisioning groupProvisioning = webApplicationContext.getBean(ScimGroupProvisioning.class);
    ScimUserProvisioning userProvisioning = webApplicationContext.getBean(ScimUserProvisioning.class);
    ScimGroupMembershipManager membershipManager = webApplicationContext.getBean(ScimGroupMembershipManager.class);
    ScimGroupExternalMembershipManager externalMembershipManager = webApplicationContext.getBean(ScimGroupExternalMembershipManager.class);
    ApprovalStore approvalStore = webApplicationContext.getBean(ApprovalStore.class);
    JdbcTemplate template = webApplicationContext.getBean(JdbcTemplate.class);
    String id = generator.generate();
    IdentityZone zone = createZone(id, HttpStatus.CREATED, identityClientToken, new IdentityZoneConfiguration());
    // create zone and clients
    BaseClientDetails client = new BaseClientDetails("limited-client", null, "openid", GRANT_TYPE_AUTHORIZATION_CODE, "uaa.resource");
    client.setClientSecret("secret");
    client.addAdditionalInformation(ClientConstants.ALLOWED_PROVIDERS, Collections.singletonList(UAA));
    client.addAdditionalInformation("foo", "bar");
    for (String url : Arrays.asList("", "/")) {
        mockMvc.perform(post("/identity-zones/" + zone.getId() + "/clients" + url).header("Authorization", "Bearer " + identityClientZonesReadToken).contentType(APPLICATION_JSON).accept(APPLICATION_JSON).content(JsonUtils.writeValueAsString(client))).andExpect(status().isForbidden());
    }
    // create client without token
    mockMvc.perform(post("/identity-zones/" + zone.getId() + "/clients").contentType(APPLICATION_JSON).accept(APPLICATION_JSON).content(JsonUtils.writeValueAsString(client))).andExpect(status().isUnauthorized());
    MvcResult result = mockMvc.perform(post("/identity-zones/" + zone.getId() + "/clients").header("Authorization", "Bearer " + identityClientToken).contentType(APPLICATION_JSON).accept(APPLICATION_JSON).content(JsonUtils.writeValueAsString(client))).andExpect(status().isCreated()).andReturn();
    BaseClientDetails created = JsonUtils.readValue(result.getResponse().getContentAsString(), BaseClientDetails.class);
    assertNull(created.getClientSecret());
    assertEquals("zones.write", created.getAdditionalInformation().get(ClientConstants.CREATED_WITH));
    assertEquals(Collections.singletonList(UAA), created.getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS));
    assertEquals("bar", created.getAdditionalInformation().get("foo"));
    // ensure that UAA provider is there
    assertNotNull(idpp.retrieveByOrigin(UAA, zone.getId()));
    assertEquals(UAA, idpp.retrieveByOrigin(UAA, zone.getId()).getOriginKey());
    // create login-server provider
    IdentityProvider provider = new IdentityProvider().setOriginKey(LOGIN_SERVER).setActive(true).setIdentityZoneId(zone.getId()).setName("Delete Test").setType(LOGIN_SERVER);
    IdentityZoneHolder.set(zone);
    provider = idpp.create(provider, provider.getIdentityZoneId());
    assertNotNull(idpp.retrieveByOrigin(LOGIN_SERVER, zone.getId()));
    assertEquals(provider.getId(), idpp.retrieveByOrigin(LOGIN_SERVER, zone.getId()).getId());
    // create user and add user to group
    ScimUser user = getScimUser();
    user.setOrigin(LOGIN_SERVER);
    user = userProvisioning.createUser(user, "", IdentityZoneHolder.get().getId());
    assertNotNull(userProvisioning.retrieve(user.getId(), IdentityZoneHolder.get().getId()));
    assertEquals(zone.getId(), user.getZoneId());
    // create group
    ScimGroup group = new ScimGroup("Delete Test Group");
    group.setZoneId(zone.getId());
    group = groupProvisioning.create(group, IdentityZoneHolder.get().getId());
    membershipManager.addMember(group.getId(), new ScimGroupMember(user.getId(), ScimGroupMember.Type.USER), IdentityZoneHolder.get().getId());
    assertEquals(zone.getId(), group.getZoneId());
    assertNotNull(groupProvisioning.retrieve(group.getId(), IdentityZoneHolder.get().getId()));
    assertEquals("Delete Test Group", groupProvisioning.retrieve(group.getId(), IdentityZoneHolder.get().getId()).getDisplayName());
    assertEquals(1, membershipManager.getMembers(group.getId(), false, IdentityZoneHolder.get().getId()).size());
    // failed authenticated user
    mockMvc.perform(post("/login.do").header("Host", zone.getSubdomain() + ".localhost").with(cookieCsrf()).accept(TEXT_HTML_VALUE).param("username", user.getUserName()).param("password", "adasda")).andExpect(status().isFound());
    // ensure we have some audit records
    // this doesn't work yet
    // assertThat(template.queryForObject("select count(*) from sec_audit where identity_zone_id=?", new Object[] {user.getZoneId()}, Integer.class), greaterThan(0));
    // create an external group map
    IdentityZoneHolder.set(zone);
    externalMembershipManager.mapExternalGroup(group.getId(), "externalDeleteGroup", LOGIN_SERVER, IdentityZoneHolder.get().getId());
    assertEquals(1, externalMembershipManager.getExternalGroupMapsByGroupId(group.getId(), LOGIN_SERVER, IdentityZoneHolder.get().getId()).size());
    assertThat(template.queryForObject("select count(*) from external_group_mapping where origin=?", new Object[] { LOGIN_SERVER }, Integer.class), is(1));
    // add user approvals
    approvalStore.addApproval(new Approval().setClientId(client.getClientId()).setScope("openid").setStatus(Approval.ApprovalStatus.APPROVED).setUserId(user.getId()), IdentityZoneHolder.get().getId());
    assertEquals(1, approvalStore.getApprovals(user.getId(), client.getClientId(), IdentityZoneHolder.get().getId()).size());
    // perform zone delete
    mockMvc.perform(delete("/identity-zones/{id}", zone.getId()).header("Authorization", "Bearer " + identityClientToken).accept(APPLICATION_JSON)).andExpect(status().isOk());
    mockMvc.perform(delete("/identity-zones/{id}", zone.getId()).header("Authorization", "Bearer " + identityClientToken).accept(APPLICATION_JSON)).andExpect(status().isNotFound());
    assertThat(template.queryForObject("select count(*) from identity_zone where id=?", new Object[] { zone.getId() }, Integer.class), is(0));
    assertThat(template.queryForObject("select count(*) from oauth_client_details where identity_zone_id=?", new Object[] { zone.getId() }, Integer.class), is(0));
    assertThat(template.queryForObject("select count(*) from groups where identity_zone_id=?", new Object[] { zone.getId() }, Integer.class), is(0));
    assertThat(template.queryForObject("select count(*) from sec_audit where identity_zone_id=?", new Object[] { zone.getId() }, Integer.class), is(0));
    assertThat(template.queryForObject("select count(*) from users where identity_zone_id=?", new Object[] { zone.getId() }, Integer.class), is(0));
    assertThat(template.queryForObject("select count(*) from external_group_mapping where origin=?", new Object[] { LOGIN_SERVER }, Integer.class), is(0));
    try {
        externalMembershipManager.getExternalGroupMapsByGroupId(group.getId(), LOGIN_SERVER, IdentityZoneHolder.get().getId());
        fail("no external groups should be found");
    } catch (ScimResourceNotFoundException ignored) {
    }
    assertThat(template.queryForObject("select count(*) from authz_approvals where user_id=?", new Object[] { user.getId() }, Integer.class), is(0));
    assertEquals(0, approvalStore.getApprovals(user.getId(), client.getClientId(), IdentityZoneHolder.get().getId()).size());
}
Also used : BaseClientDetails(org.springframework.security.oauth2.provider.client.BaseClientDetails) IdentityProviderProvisioning(org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning) JdbcIdentityProviderProvisioning(org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning) IdentityProvider(org.cloudfoundry.identity.uaa.provider.IdentityProvider) ScimResourceNotFoundException(org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException) Matchers.containsString(org.hamcrest.Matchers.containsString) JdbcScimGroupProvisioning(org.cloudfoundry.identity.uaa.scim.jdbc.JdbcScimGroupProvisioning) JdbcTemplate(org.springframework.jdbc.core.JdbcTemplate) MvcResult(org.springframework.test.web.servlet.MvcResult) ApprovalStore(org.cloudfoundry.identity.uaa.approval.ApprovalStore) Approval(org.cloudfoundry.identity.uaa.approval.Approval) KeyWithCertTest(org.cloudfoundry.identity.uaa.util.KeyWithCertTest) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 8 with ApprovalStore

use of org.cloudfoundry.identity.uaa.approval.ApprovalStore in project uaa by cloudfoundry.

the class ClientAdminEndpointsTests method setUp.

@BeforeEach
void setUp() {
    testZone.setId("testzone");
    mockSecurityContextAccessor = Mockito.mock(SecurityContextAccessor.class);
    clientDetailsService = Mockito.mock(NoOpClientDetailsResourceManager.class);
    when(clientDetailsService.create(any(ClientDetails.class), anyString())).thenCallRealMethod();
    clientRegistrationService = Mockito.mock(MultitenantClientServices.class, withSettings().extraInterfaces(SystemDeletable.class));
    mockAuthenticationManager = Mockito.mock(AuthenticationManager.class);
    ApprovalStore approvalStore = mock(ApprovalStore.class);
    clientDetailsValidator = new ClientAdminEndpointsValidator(mockSecurityContextAccessor);
    clientDetailsValidator.setClientDetailsService(clientDetailsService);
    clientDetailsValidator.setClientSecretValidator(new ZoneAwareClientSecretPolicyValidator(new ClientSecretPolicy(0, 255, 0, 0, 0, 0, 6)));
    testZone.getConfig().setClientSecretPolicy(new ClientSecretPolicy(0, 255, 0, 0, 0, 0, 6));
    IdentityZoneHolder.set(testZone);
    endpoints = spy(new ClientAdminEndpoints(mockSecurityContextAccessor, clientDetailsValidator, mockAuthenticationManager, mock(ResourceMonitor.class), approvalStore, clientRegistrationService, clientDetailsService, 5));
    input = new BaseClientDetails();
    input.setClientId("foo");
    input.setClientSecret("secret");
    input.setAuthorizedGrantTypes(Collections.singletonList(GRANT_TYPE_AUTHORIZATION_CODE));
    input.setRegisteredRedirectUri(SINGLE_REDIRECT_URL);
    for (int i = 0; i < inputs.length; i++) {
        inputs[i] = new ClientDetailsModification();
        inputs[i].setClientId("foo-" + i);
        inputs[i].setClientSecret("secret-" + i);
        inputs[i].setAuthorizedGrantTypes(Collections.singletonList(GRANT_TYPE_AUTHORIZATION_CODE));
        inputs[i].setRegisteredRedirectUri(new HashSet(Collections.singletonList("https://foo-" + i)));
        inputs[i].setAccessTokenValiditySeconds(300);
    }
    detail = new UaaClientDetails(input);
    detail.setResourceIds(Collections.singletonList("none"));
    // refresh token is added automatically by endpoint validation
    detail.setAuthorizedGrantTypes(Arrays.asList(GRANT_TYPE_AUTHORIZATION_CODE, "refresh_token"));
    detail.setScope(Collections.singletonList("uaa.none"));
    detail.setAuthorities(AuthorityUtils.commaSeparatedStringToAuthorityList("uaa.none"));
    for (int i = 0; i < details.length; i++) {
        details[i] = new BaseClientDetails(inputs[i]);
        details[i].setResourceIds(Collections.singletonList("none"));
        // refresh token is added automatically by endpoint validation
        details[i].setAuthorizedGrantTypes(Arrays.asList(GRANT_TYPE_AUTHORIZATION_CODE, "refresh_token"));
        details[i].setScope(Collections.singletonList("uaa.none"));
        details[i].setAuthorities(AuthorityUtils.commaSeparatedStringToAuthorityList("uaa.none"));
    }
    endpoints.setApplicationEventPublisher(new ApplicationEventPublisher() {

        @Override
        public void publishEvent(ApplicationEvent event) {
            if (event instanceof EntityDeletedEvent) {
                ClientDetails client = (ClientDetails) ((EntityDeletedEvent) event).getDeleted();
                clientRegistrationService.removeClientDetails(client.getClientId());
            }
        }

        @Override
        public void publishEvent(Object event) {
        }
    });
}
Also used : BaseClientDetails(org.springframework.security.oauth2.provider.client.BaseClientDetails) ApplicationEvent(org.springframework.context.ApplicationEvent) ZoneAwareClientSecretPolicyValidator(org.cloudfoundry.identity.uaa.zone.ZoneAwareClientSecretPolicyValidator) AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) ResourceMonitor(org.cloudfoundry.identity.uaa.resources.ResourceMonitor) MultitenantClientServices(org.cloudfoundry.identity.uaa.zone.MultitenantClientServices) BaseClientDetails(org.springframework.security.oauth2.provider.client.BaseClientDetails) ClientDetails(org.springframework.security.oauth2.provider.ClientDetails) ApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher) ApprovalStore(org.cloudfoundry.identity.uaa.approval.ApprovalStore) SecurityContextAccessor(org.cloudfoundry.identity.uaa.security.beans.SecurityContextAccessor) ClientSecretPolicy(org.cloudfoundry.identity.uaa.zone.ClientSecretPolicy) EntityDeletedEvent(org.cloudfoundry.identity.uaa.audit.event.EntityDeletedEvent) ClientDetailsModification(org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification) HashSet(java.util.HashSet) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 9 with ApprovalStore

use of org.cloudfoundry.identity.uaa.approval.ApprovalStore in project uaa by cloudfoundry.

the class ApprovalServiceTest method setup.

@Before
public void setup() {
    timeService = mock(TimeService.class);
    approvalStore = mock(ApprovalStore.class);
    clientDetails = new BaseClientDetails(CLIENT_ID, null, "foo.read,bar.write", null, null);
    approvalService = new ApprovalService(timeService, approvalStore);
}
Also used : BaseClientDetails(org.springframework.security.oauth2.provider.client.BaseClientDetails) TimeService(org.cloudfoundry.identity.uaa.util.TimeService) ApprovalStore(org.cloudfoundry.identity.uaa.approval.ApprovalStore) ApprovalService(org.cloudfoundry.identity.uaa.approval.ApprovalService) Before(org.junit.Before)

Aggregations

ApprovalStore (org.cloudfoundry.identity.uaa.approval.ApprovalStore)9 Approval (org.cloudfoundry.identity.uaa.approval.Approval)7 Test (org.junit.jupiter.api.Test)6 Date (java.util.Date)5 BaseClientDetails (org.springframework.security.oauth2.provider.client.BaseClientDetails)3 BeforeEach (org.junit.jupiter.api.BeforeEach)2 JdbcTemplate (org.springframework.jdbc.core.JdbcTemplate)2 HashSet (java.util.HashSet)1 ApprovalService (org.cloudfoundry.identity.uaa.approval.ApprovalService)1 EntityDeletedEvent (org.cloudfoundry.identity.uaa.audit.event.EntityDeletedEvent)1 ClientDetailsModification (org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification)1 IdentityProvider (org.cloudfoundry.identity.uaa.provider.IdentityProvider)1 IdentityProviderProvisioning (org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning)1 JdbcIdentityProviderProvisioning (org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning)1 ResourceMonitor (org.cloudfoundry.identity.uaa.resources.ResourceMonitor)1 ScimUser (org.cloudfoundry.identity.uaa.scim.ScimUser)1 ScimUserProvisioning (org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning)1 ScimResourceNotFoundException (org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException)1 JdbcScimGroupProvisioning (org.cloudfoundry.identity.uaa.scim.jdbc.JdbcScimGroupProvisioning)1 SecurityContextAccessor (org.cloudfoundry.identity.uaa.security.beans.SecurityContextAccessor)1