start implementation of jwt based authentication

scm-webapp/src/test/java/sonia/scm/security/BearerRealmTest.java

@@ -0,0 +1,278 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. Neither the name of SCM-Manager; nor the names of its
+ *    contributors may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.PrincipalCollection;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+
+import sonia.scm.group.GroupDAO;
+import sonia.scm.user.User;
+import sonia.scm.user.UserDAO;
+import sonia.scm.user.UserTestData;
+
+import static org.junit.Assert.*;
+
+import static org.mockito.Mockito.*;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import java.security.SecureRandom;
+
+import java.util.Date;
+
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class BearerRealmTest
+{
+
+  /**
+   * Method description
+   *
+   */
+  @Test
+  public void testDoGetAuthenticationInfo()
+  {
+    SecureKey key = createSecureKey();
+
+    User marvin = UserTestData.createMarvin();
+
+    when(userDAO.get(marvin.getName())).thenReturn(marvin);
+
+    resolveKey(key);
+
+    String compact = createCompactToken(marvin.getName(), key);
+
+    BearerAuthenticationToken token = new BearerAuthenticationToken(compact);
+    AuthenticationInfo info = realm.doGetAuthenticationInfo(token);
+
+    assertNotNull(info);
+
+    PrincipalCollection principals = info.getPrincipals();
+
+    assertEquals(marvin.getName(), principals.getPrimaryPrincipal());
+    assertEquals(marvin, principals.oneByType(User.class));
+  }
+
+  /**
+   * Method description
+   *
+   */
+  @Test(expected = AuthenticationException.class)
+  public void testDoGetAuthenticationInfoWithExpiredToken()
+  {
+    User trillian = UserTestData.createTrillian();
+
+    when(userDAO.get(trillian.getName())).thenReturn(trillian);
+
+    SecureKey key = createSecureKey();
+
+    resolveKey(key);
+
+    Date exp = new Date(System.currentTimeMillis() - 600l);
+    String compact = createCompactToken(trillian.getName(), key, exp);
+
+    realm.doGetAuthenticationInfo(new BearerAuthenticationToken(compact));
+  }
+
+  /**
+   * Method description
+   *
+   */
+  @Test(expected = AuthenticationException.class)
+  public void testDoGetAuthenticationInfoWithInvalidSignature()
+  {
+    resolveKey(createSecureKey());
+
+    User trillian = UserTestData.createTrillian();
+    String compact = createCompactToken(trillian.getName(), createSecureKey());
+
+    realm.doGetAuthenticationInfo(new BearerAuthenticationToken(compact));
+  }
+
+  /**
+   * Method description
+   *
+   */
+  @Test(expected = AuthenticationException.class)
+  public void testDoGetAuthenticationInfoWithoutSignature()
+  {
+    User trillian = UserTestData.createTrillian();
+
+    when(userDAO.get(trillian.getName())).thenReturn(trillian);
+
+    String compact = Jwts.builder().setSubject("test").compact();
+
+    realm.doGetAuthenticationInfo(new BearerAuthenticationToken(compact));
+  }
+
+  /**
+   * Method description
+   *
+   */
+  @Test(expected = IllegalArgumentException.class)
+  public void testDoGetAuthenticationInfoWrongToken()
+  {
+    realm.doGetAuthenticationInfo(new UsernamePasswordToken("test", "test"));
+  }
+
+  //~--- set methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   */
+  @Before
+  public void setUp()
+  {
+    realm = new BearerRealm(keyResolver, userDAO, groupDAO);
+  }
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param subject
+   * @param key
+   *
+   * @return
+   */
+  private String createCompactToken(String subject, SecureKey key)
+  {
+    return createCompactToken(subject, key,
+      new Date(System.currentTimeMillis() + 60000));
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param subject
+   * @param key
+   * @param exp
+   *
+   * @return
+   */
+  private String createCompactToken(String subject, SecureKey key, Date exp)
+  {
+    //J-
+    return Jwts.builder()
+      .setSubject(subject)
+      .setExpiration(exp)
+      .signWith(SignatureAlgorithm.HS256, key.getBytes())
+      .compact();
+    //J+
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @return
+   */
+  private SecureKey createSecureKey()
+  {
+    byte[] bytes = new byte[32];
+
+    random.nextBytes(bytes);
+
+    return new SecureKey(bytes, System.currentTimeMillis());
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param key
+   */
+  private void resolveKey(SecureKey key)
+  {
+    //J-
+    when(
+      keyResolver.resolveSigningKey(
+        any(JwsHeader.class), 
+        any(Claims.class)
+      )
+    )
+    .thenReturn(
+      new SecretKeySpec(
+        key.getBytes(), 
+        SignatureAlgorithm.HS256.getValue()
+      )
+    );
+    //J+
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** Field description */
+  private final SecureRandom random = new SecureRandom();
+
+  /** Field description */
+  @Mock
+  private GroupDAO groupDAO;
+
+  /** Field description */
+  @Mock
+  private SecureKeyResolver keyResolver;
+
+  /** Field description */
+  private BearerRealm realm;
+
+  /** Field description */
+  @Mock
+  private UserDAO userDAO;
+}

scm-webapp/src/test/java/sonia/scm/security/BearerTokenGeneratorTest.java

@@ -0,0 +1,138 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. Neither the name of SCM-Manager; nor the names of its
+ *    contributors may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+
+import sonia.scm.user.User;
+import sonia.scm.user.UserTestData;
+
+import static org.hamcrest.Matchers.*;
+
+import static org.junit.Assert.*;
+
+import static org.mockito.Mockito.*;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import java.security.SecureRandom;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class BearerTokenGeneratorTest
+{
+
+  /**
+   * Method description
+   *
+   */
+  @Test
+  public void testCreateBearerToken()
+  {
+    User trillian = UserTestData.createTrillian();
+    SecureKey key = createSecureKey();
+
+    when(keyGenerator.createKey()).thenReturn("sid");
+    when(keyResolver.getSecureKey(trillian.getName())).thenReturn(key);
+
+    String token = tokenGenerator.createBearerToken(trillian);
+
+    assertThat(token, not(isEmptyOrNullString()));
+    assertTrue(Jwts.parser().isSigned(token));
+
+    Claims claims = Jwts.parser().setSigningKey(key.getBytes()).parseClaimsJws(
+                      token).getBody();
+
+    assertEquals(trillian.getName(), claims.getSubject());
+    assertEquals("sid", claims.getId());
+  }
+
+  //~--- set methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   */
+  @Before
+  public void setUp()
+  {
+    tokenGenerator = new BearerTokenGenerator(keyGenerator, keyResolver);
+  }
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @return
+   */
+  private SecureKey createSecureKey()
+  {
+    byte[] bytes = new byte[32];
+
+    random.nextBytes(bytes);
+
+    return new SecureKey(bytes, System.currentTimeMillis());
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** Field description */
+  private final SecureRandom random = new SecureRandom();
+
+  /** Field description */
+  @Mock
+  private KeyGenerator keyGenerator;
+
+  /** Field description */
+  @Mock
+  private SecureKeyResolver keyResolver;
+
+  /** Field description */
+  private BearerTokenGenerator tokenGenerator;
+}

scm-webapp/src/test/java/sonia/scm/security/SecureKeyResolverTest.java

@@ -0,0 +1,141 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. Neither the name of SCM-Manager; nor the names of its
+ *    contributors may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import io.jsonwebtoken.Jwts;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+
+import sonia.scm.store.ConfigurationEntryStore;
+import sonia.scm.store.ConfigurationEntryStoreFactory;
+
+import static org.junit.Assert.*;
+
+import static org.mockito.Mockito.*;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class SecureKeyResolverTest
+{
+
+  /**
+   * Method description
+   *
+   */
+  @Test
+  public void testGetSecureKey()
+  {
+    SecureKey key = resolver.getSecureKey("test");
+
+    assertNotNull(key);
+    when(store.get("test")).thenReturn(key);
+
+    SecureKey sameKey = resolver.getSecureKey("test");
+
+    assertSame(key, sameKey);
+  }
+
+  /**
+   * Method description
+   *
+   */
+  @Test
+  public void testResolveSigningKeyBytes()
+  {
+    SecureKey key = resolver.getSecureKey("test");
+
+    when(store.get("test")).thenReturn(key);
+
+    byte[] bytes = resolver.resolveSigningKeyBytes(null,
+                     Jwts.claims().setSubject("test"));
+
+    assertArrayEquals(key.getBytes(), bytes);
+  }
+
+  /**
+   * Method description
+   *
+   */
+  @Test(expected = IllegalStateException.class)
+  public void testResolveSigningKeyBytesWithoutKey()
+  {
+    resolver.resolveSigningKeyBytes(null, Jwts.claims().setSubject("test"));
+  }
+
+  /**
+   * Method description
+   *
+   */
+  @Test(expected = IllegalArgumentException.class)
+  public void testResolveSigningKeyBytesWithoutSubject()
+  {
+    resolver.resolveSigningKeyBytes(null, Jwts.claims());
+  }
+
+  //~--- set methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   */
+  @Before
+  public void setUp()
+  {
+    ConfigurationEntryStoreFactory factory =
+      mock(ConfigurationEntryStoreFactory.class);
+
+    when(factory.getStore(SecureKey.class,
+      SecureKeyResolver.STORE_NAME)).thenReturn(store);
+    resolver = new SecureKeyResolver(factory);
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** Field description */
+  private SecureKeyResolver resolver;
+
+  /** Field description */
+  @Mock
+  private ConfigurationEntryStore<SecureKey> store;
+}