replace TokenClaimsValidator with not so generic AccessTokenValidator interface and fixed duplicated code of BearerRealm and JwtAccessTokenResolve

scm-core/src/main/java/sonia/scm/security/AccessTokenValidator.java

@@ -30,26 +30,25 @@
  */
 package sonia.scm.security;
 
-import java.util.Map;
 import sonia.scm.plugin.ExtensionPoint;
 
 /**
- * Validates the claims of a jwt token. The validator is called durring authentication
+ * Validates an {@link AccessToken}. The validator is called during authentication
- * with a jwt token.
+ * with an {@link AccessToken}.
  * 
  * @author Sebastian Sdorra
  * @since 2.0.0
  */
 @ExtensionPoint
-public interface TokenClaimsValidator {
+public interface AccessTokenValidator {
   
   /**
-   * Returns {@code true} if the claims is valid. If the token is not valid and the
+   * Returns {@code true} if the {@link AccessToken} is valid. If the token is not valid and the
    * method returns {@code false}, the authentication is treated as failed.
    * 
-   * @param claims token claims
+   * @param token the access token to verify
    * 
-   * @return {@code true} if the claims is valid
+   * @return {@code true} if the token is valid
    */
-  boolean validate(Map<String, Object> claims); 
+  boolean validate(AccessToken token);
 }

scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java

@@ -31,35 +31,20 @@
 
 package sonia.scm.security;
 
-//~--- non-JDK imports --------------------------------------------------------
-
 import com.google.common.annotations.VisibleForTesting;
-
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.JwtException;
-import io.jsonwebtoken.Jwts;
-
-import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
 import org.apache.shiro.realm.AuthenticatingRealm;
-
 import sonia.scm.group.GroupDAO;
 import sonia.scm.plugin.Extension;
 import sonia.scm.user.UserDAO;
 
-import static com.google.common.base.Preconditions.checkArgument;
-
-import java.util.List;
-import java.util.Set;
-
-//~--- JDK imports ------------------------------------------------------------
-
 import javax.inject.Inject;
 import javax.inject.Singleton;
-import org.slf4j.Logger;
+
-import org.slf4j.LoggerFactory;
+import static com.google.common.base.Preconditions.checkArgument;
+
 
 /**
  * Realm for authentication with {@link BearerToken}.
@@ -72,32 +57,27 @@ import org.slf4j.LoggerFactory;
 public class BearerRealm extends AuthenticatingRealm
 {
   
-  /**
-   * the logger for BearerRealm
-   */
-  private static final Logger LOG = LoggerFactory.getLogger(BearerRealm.class);
-  
   /** realm name */
   @VisibleForTesting
   static final String REALM = "BearerRealm";
 
-  //~--- constructors ---------------------------------------------------------
+
+  /** dao realm helper */
+  private final DAORealmHelper helper;
+
+  /** access token resolver **/
+  private final AccessTokenResolver tokenResolver;
 
   /**
    * Constructs ...
    *
    * @param helperFactory dao realm helper factory
-   * @param resolver key resolver
+   * @param tokenResolver resolve access token from bearer
-   * @param validators token claims validators
    */
   @Inject
-  public BearerRealm(
+  public BearerRealm(DAORealmHelperFactory helperFactory, AccessTokenResolver tokenResolver) {
-    DAORealmHelperFactory helperFactory, SecureKeyResolver resolver, Set<TokenClaimsValidator> validators
-  )
-  {
     this.helper = helperFactory.create(REALM);
-    this.resolver = resolver;
+    this.tokenResolver = tokenResolver;
-    this.validators = validators;
 
     setCredentialsMatcher(new AllowAllCredentialsMatcher());
     setAuthenticationTokenClass(BearerToken.class);
@@ -106,71 +86,26 @@ public class BearerRealm extends AuthenticatingRealm
   //~--- methods --------------------------------------------------------------
 
   /**
-   * Validates the given jwt token and retrieves authentication data from
+   * Validates the given bearer token and retrieves authentication data from
    * {@link UserDAO} and {@link GroupDAO}.
    *
    *
-   * @param token jwt token
+   * @param token bearer token
    *
    * @return authentication data from user and group dao
    */
   @Override
-  protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken token)
+  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
-  {
+    checkArgument(token instanceof BearerToken, "%s is required", BearerToken.class);
-    checkArgument(token instanceof BearerToken, "%s is required",
-      BearerToken.class);
 
     BearerToken bt = (BearerToken) token;
-    Claims c = checkToken(bt);
+    AccessToken accessToken = tokenResolver.resolve(bt);
 
-    return helper.getAuthenticationInfo(c.getSubject(), bt.getCredentials(), Scopes.fromClaims(c));
+    return helper.getAuthenticationInfo(
+      accessToken.getSubject(),
+      bt.getCredentials(),
+      Scopes.fromClaims(accessToken.getClaims())
+    );
   }
 
-  /**
-   * Validates the jwt token.
-   *
-   *
-   * @param token jwt token
-   *
-   * @return claim
-   */
-  private Claims checkToken(BearerToken token)
-  {
-    Claims claims;
-
-    try
-    {
-      //J-
-      claims = Jwts.parser()
-        .setSigningKeyResolver(resolver)
-        .parseClaimsJws(token.getCredentials())
-        .getBody();
-      //J+
-      
-      // check all registered claims validators
-      validators.forEach((validator) -> {
-        if (!validator.validate(claims)) {
-          LOG.warn("token claims is invalid, marked by validator {}", validator.getClass());
-          throw new AuthenticationException("token claims is invalid");
-        }
-      });
-    }
-    catch (JwtException ex)
-    {
-      throw new AuthenticationException("signature is invalid", ex);
-    }
-
-    return claims;
-  }
-
-  //~--- fields ---------------------------------------------------------------
-
-  /** token claims validators **/
-  private final Set<TokenClaimsValidator> validators;
-  
-  /** dao realm helper */
-  private final DAORealmHelper helper;
-
-  /** secure key resolver */
-  private final SecureKeyResolver resolver;
 }

scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenResolver.java

@@ -55,37 +55,48 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
   private static final Logger LOG = LoggerFactory.getLogger(JwtAccessTokenResolver.class);
   
   private final SecureKeyResolver keyResolver;
-  private final Set<TokenClaimsValidator> validators;
+  private final Set<AccessTokenValidator> validators;
 
   @Inject
-  public JwtAccessTokenResolver(SecureKeyResolver keyResolver, Set<TokenClaimsValidator> validators) {
+  public JwtAccessTokenResolver(SecureKeyResolver keyResolver, Set<AccessTokenValidator> validators) {
     this.keyResolver = keyResolver;
     this.validators = validators;
   }
   
   @Override
   public JwtAccessToken resolve(BearerToken bearerToken) {
-    Claims claims;
-
     try {
-      // parse and validate
+      String compact = bearerToken.getCredentials();
-      claims = Jwts.parser()
+
+      Claims claims = Jwts.parser()
         .setSigningKeyResolver(keyResolver)
-        .parseClaimsJws(bearerToken.getCredentials())
+        .parseClaimsJws(compact)
         .getBody();
 
-      // check all registered claims validators
+      JwtAccessToken token = new JwtAccessToken(claims, compact);
-      validators.forEach((validator) -> {
+      validate(token);
-        if (!validator.validate(claims)) {
+
-          LOG.warn("token claims is invalid, marked by validator {}", validator.getClass());
+      return token;
-          throw new AuthenticationException("token claims is invalid");
-        }
-      });
     } catch (JwtException ex) {
       throw new AuthenticationException("signature is invalid", ex);
     }
+  }
 
-    return new JwtAccessToken(claims, bearerToken.getCredentials());
+
+  private void validate(AccessToken accessToken) {
+    validators.forEach(validator -> validate(validator, accessToken));
+  }
+
+  private void validate(AccessTokenValidator validator, AccessToken accessToken) {
+    if (!validator.validate(accessToken)) {
+      String msg = createValidationFailedMessage(validator, accessToken);
+      LOG.debug(msg);
+      throw new AuthenticationException(msg);
+    }
+  }
+
+  private String createValidationFailedMessage(AccessTokenValidator validator, AccessToken accessToken) {
+    return String.format("token %s is invalid, marked by validator %s", accessToken.getId(), validator.getClass());
   }
   
 }

scm-webapp/src/main/java/sonia/scm/security/Scopes.java

@@ -47,7 +47,7 @@ import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.authz.permission.PermissionResolver;
 
 /**
- * Utile methods for {@link Scope}.
+ * Util methods for {@link Scope}.
  * 
  * @author Sebastian Sdorra
  * @since 2.0.0

scm-webapp/src/main/java/sonia/scm/security/XsrfAccessTokenEnricher.java

@@ -44,7 +44,7 @@ import sonia.scm.util.HttpUtil;
 /**
  * Xsrf access token enricher will add an xsrf custom field to the access token. The enricher will only
  * add the xsrf field, if the authentication request is issued from the web interface and xsrf protection is
- * enabled. The xsrf field will be validated on every request by the {@link XsrfTokenClaimsValidator}. Xsrf protection
+ * enabled. The xsrf field will be validated on every request by the {@link XsrfAccessTokenValidator}. Xsrf protection
  * can be disabled with {@link ScmConfiguration#setEnabledXsrfProtection(boolean)}.
  * 
  * @see <a href="https://goo.gl/s67xO3">Issue 793</a>

scm-webapp/src/main/java/sonia/scm/security/XsrfAccessTokenValidator.java

@@ -30,30 +30,23 @@
  */
 package sonia.scm.security;
 
-import com.google.common.base.Strings;
+import sonia.scm.plugin.Extension;
-import java.util.Map;
+
 import javax.inject.Inject;
 import javax.inject.Provider;
 import javax.servlet.http.HttpServletRequest;
-import org.slf4j.Logger;
+import java.util.Optional;
-import org.slf4j.LoggerFactory;
-import sonia.scm.plugin.Extension;
 
 /**
- * Validates xsrf protected token claims. The validator check if the current request contains an xsrf key which is
+ * Validates xsrf protected access tokens. The validator check if the current request contains an xsrf key which is
- * equal to the token in the claims. If the claims does not contain a xsrf key, the check is passed by. The xsrf keys
+ * equal to the one in the access token. If the token does not contain a xsrf key, the check is passed by. The xsrf keys
- * are added by the {@link XsrfTokenClaimsEnricher}.
+ * are added by the {@link XsrfAccessTokenEnricher}.
  * 
  * @author Sebastian Sdorra
  * @since 2.0.0
  */
 @Extension
-public class XsrfTokenClaimsValidator implements TokenClaimsValidator {
+public class XsrfAccessTokenValidator implements AccessTokenValidator {
-
-  /**
-   * the logger for XsrfTokenClaimsEnricher
-   */
-  private static final Logger LOG = LoggerFactory.getLogger(XsrfTokenClaimsValidator.class);
   
   private final Provider<HttpServletRequest> requestProvider;
 
@@ -64,16 +57,16 @@ public class XsrfTokenClaimsValidator implements TokenClaimsValidator {
    * @param requestProvider http request provider
    */
   @Inject
-  public XsrfTokenClaimsValidator(Provider<HttpServletRequest> requestProvider) {
+  public XsrfAccessTokenValidator(Provider<HttpServletRequest> requestProvider) {
     this.requestProvider = requestProvider;
   }
   
   @Override
-  public boolean validate(Map<String, Object> claims) {
+  public boolean validate(AccessToken accessToken) {
-    String xsrfClaimValue = (String) claims.get(Xsrf.TOKEN_KEY);
+    Optional<String> xsrfClaim = accessToken.getCustom(Xsrf.TOKEN_KEY);
-    if (!Strings.isNullOrEmpty(xsrfClaimValue)) {
+    if (xsrfClaim.isPresent()) {
       String xsrfHeaderValue = requestProvider.get().getHeader(Xsrf.HEADER_KEY);
-      return xsrfClaimValue.equals(xsrfHeaderValue);
+      return xsrfClaim.get().equals(xsrfHeaderValue);
     }
     return true;
   }

scm-webapp/src/test/java/sonia/scm/security/BearerRealmTest.java

@@ -29,271 +29,98 @@
  *
  */
 
-
-
 package sonia.scm.security;
 
-//~--- non-JDK imports --------------------------------------------------------
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Sets;
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.JwsHeader;
-import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.SignatureAlgorithm;
-import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.UsernamePasswordToken;
-import org.apache.shiro.subject.PrincipalCollection;
+import org.junit.jupiter.api.BeforeEach;
-import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Test;
-import org.junit.Before;
+import org.junit.jupiter.api.extension.ExtendWith;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.ExpectedException;
-import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
-import org.mockito.Mockito;
+import org.mockito.invocation.InvocationOnMock;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.junit.jupiter.MockitoExtension;
-import sonia.scm.group.GroupDAO;
+import org.mockito.stubbing.Answer;
-import sonia.scm.user.User;
-import sonia.scm.user.UserDAO;
-import sonia.scm.user.UserTestData;
 
-import javax.crypto.spec.SecretKeySpec;
+import java.util.HashMap;
-import java.util.Date;
-import java.util.Set;
 
-import static org.junit.Assert.assertEquals;
+import static org.assertj.core.api.Assertions.assertThat;
-import static org.junit.Assert.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.Assert.assertThat;
+import static org.mockito.ArgumentMatchers.any;
-import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
-import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;
 
 /**
  * Unit tests for {@link BearerRealm}.
  * 
  * @author Sebastian Sdorra
  */
-@SuppressWarnings("unchecked")
+@ExtendWith(MockitoExtension.class)
-@RunWith(MockitoJUnitRunner.class)
+class BearerRealmTest {
-public class BearerRealmTest
-{
 
-  @Rule
+  @Mock
-  public ExpectedException expectedException = ExpectedException.none();
+  private DAORealmHelperFactory realmHelperFactory;
 
-  /**
+  @Mock
-   * Method description
+  private DAORealmHelper realmHelper;
-   *
-   */
-  @Test
-  public void testDoGetAuthenticationInfo()
-  {
-    SecureKey key = createSecureKey();
 
-    User marvin = UserTestData.createMarvin();
+  @Mock
-
+  private AccessTokenResolver accessTokenResolver;
-    when(userDAO.get(marvin.getName())).thenReturn(marvin);
-
-    resolveKey(key);
-
-    String compact = createCompactToken(marvin.getName(), key);
-
-    BearerToken token = BearerToken.valueOf(compact);
-    AuthenticationInfo info = realm.doGetAuthenticationInfo(token);
-
-    assertNotNull(info);
-
-    PrincipalCollection principals = info.getPrincipals();
-
-    assertEquals(marvin.getName(), principals.getPrimaryPrincipal());
-    assertEquals(marvin, principals.oneByType(User.class));
-    assertNotNull(principals.oneByType(Scope.class));
-    assertTrue(principals.oneByType(Scope.class).isEmpty());
-  }
-  
-  /**
-   * Test {@link BearerRealm#doGetAuthenticationInfo(AuthenticationToken)} with scope.
-   *
-   */
-  @Test
-  public void testDoGetAuthenticationInfoWithScope()
-  {
-    SecureKey key = createSecureKey();
-
-    User marvin = UserTestData.createMarvin();
-
-    when(userDAO.get(marvin.getName())).thenReturn(marvin);
-
-    resolveKey(key);
-
-    String compact = createCompactToken(
-      marvin.getName(), 
-      key, 
-      new Date(System.currentTimeMillis() + 60000), 
-      Scope.valueOf("repo:*", "user:*")
-    );
-    
-    AuthenticationInfo info = realm.doGetAuthenticationInfo(BearerToken.valueOf(compact));
-    Scope scope = info.getPrincipals().oneByType(Scope.class);
-    assertThat(scope, Matchers.containsInAnyOrder("repo:*", "user:*"));
-  }
-  
-  /**
-   * Test {@link BearerRealm#doGetAuthenticationInfo(AuthenticationToken)} with a failed
-   * claims validation.
-   */
-  @Test
-  public void testDoGetAuthenticationInfoWithInvalidClaims()
-  {
-    SecureKey key = createSecureKey();
-    User marvin = UserTestData.createMarvin();
-
-    resolveKey(key);
-
-    String compact = createCompactToken(marvin.getName(), key);
-
-    // treat claims as invalid
-    when(validator.validate(Mockito.anyMap())).thenReturn(false);
-    
-    // expect exception
-    expectedException.expect(AuthenticationException.class);
-    expectedException.expectMessage(Matchers.containsString("claims"));
-    
-    // kick authentication
-    realm.doGetAuthenticationInfo(BearerToken.valueOf(compact));
-  }
-
-  /**
-   * Method description
-   *
-   */
-  @Test(expected = AuthenticationException.class)
-  public void testDoGetAuthenticationInfoWithExpiredToken()
-  {
-    User trillian = UserTestData.createTrillian();
-
-    SecureKey key = createSecureKey();
-
-    resolveKey(key);
-
-    Date exp = new Date(System.currentTimeMillis() - 600l);
-    String compact = createCompactToken(trillian.getName(), key, exp, Scope.empty());
-
-    realm.doGetAuthenticationInfo(BearerToken.valueOf(compact));
-  }
-
-  /**
-   * Method description
-   *
-   */
-  @Test(expected = AuthenticationException.class)
-  public void testDoGetAuthenticationInfoWithInvalidSignature()
-  {
-    resolveKey(createSecureKey());
-
-    User trillian = UserTestData.createTrillian();
-    String compact = createCompactToken(trillian.getName(), createSecureKey());
-
-    realm.doGetAuthenticationInfo(BearerToken.valueOf(compact));
-  }
-
-  /**
-   * Method description
-   *
-   */
-  @Test(expected = AuthenticationException.class)
-  public void testDoGetAuthenticationInfoWithoutSignature()
-  {
-    String compact = Jwts.builder().setSubject("test").compact();
-
-    realm.doGetAuthenticationInfo(BearerToken.valueOf(compact));
-  }
-
-  /**
-   * Method description
-   *
-   */
-  @Test(expected = IllegalArgumentException.class)
-  public void testDoGetAuthenticationInfoWrongToken()
-  {
-    realm.doGetAuthenticationInfo(new UsernamePasswordToken("test", "test"));
-  }
-
-  //~--- set methods ----------------------------------------------------------
-
-  /**
-   * Method description
-   *
-   */
-  @Before
-  public void setUp()
-  {
-    when(validator.validate(Mockito.anyMap())).thenReturn(true);
-    Set<TokenClaimsValidator> validators = Sets.newHashSet(validator);
-    realm = new BearerRealm(helperFactory, keyResolver, validators);
-  }
-
-  //~--- methods --------------------------------------------------------------
-
-private String createCompactToken(String subject, SecureKey key) {
-    return createCompactToken(subject, key, Scope.empty());
-  }
-  
-  private String createCompactToken(String subject, SecureKey key, Scope scope) {
-    return createCompactToken(subject, key, new Date(System.currentTimeMillis() + 60000), scope);
-  }
-
-  private String createCompactToken(String subject, SecureKey key, Date exp, Scope scope) {
-    return Jwts.builder()
-      .claim(Scopes.CLAIMS_KEY, ImmutableList.copyOf(scope))
-      .setSubject(subject)
-      .setExpiration(exp)
-      .signWith(SignatureAlgorithm.HS256, key.getBytes())
-      .compact();
-  }
-
-  private void resolveKey(SecureKey key) {
-    when(
-      keyResolver.resolveSigningKey(
-        any(JwsHeader.class), 
-        any(Claims.class)
-      )
-    )
-    .thenReturn(
-      new SecretKeySpec(
-        key.getBytes(), 
-        SignatureAlgorithm.HS256.getJcaName()
-      )
-    );
-  }
-
-  //~--- fields ---------------------------------------------------------------
 
   @InjectMocks
-  private DAORealmHelperFactory helperFactory;
-  
-  @Mock
-  private LoginAttemptHandler loginAttemptHandler;
-  
-  @Mock
-  private TokenClaimsValidator validator;
-  
-  /** Field description */
-  @Mock
-  private GroupDAO groupDAO;
-
-  /** Field description */
-  @Mock
-  private SecureKeyResolver keyResolver;
-
-  /** Field description */
   private BearerRealm realm;
 
-  /** Field description */
   @Mock
-  private UserDAO userDAO;
+  private AuthenticationInfo authenticationInfo;
+
+  @BeforeEach
+  void prepareObjectUnderTest() {
+    when(realmHelperFactory.create(BearerRealm.REALM)).thenReturn(realmHelper);
+    realm = new BearerRealm(realmHelperFactory, accessTokenResolver);
+  }
+
+  @Test
+  void shouldDoGetAuthentication() {
+    BearerToken bearerToken = BearerToken.valueOf("__bearer__");
+    AccessToken accessToken = mock(AccessToken.class);
+    when(accessToken.getSubject()).thenReturn("trillian");
+    when(accessToken.getClaims()).thenReturn(new HashMap<>());
+
+    when(accessTokenResolver.resolve(bearerToken)).thenReturn(accessToken);
+
+    // we have to use answer, because we could not mock the result of Scopes
+    when(realmHelper.getAuthenticationInfo(
+      anyString(), anyString(), any(Scope.class)
+    )).thenAnswer(createAnswer("trillian", "__bearer__", true));
+
+    AuthenticationInfo result = realm.doGetAuthenticationInfo(bearerToken);
+    assertThat(result).isSameAs(authenticationInfo);
+  }
+
+  @Test
+  void shouldThrowIllegalArgumentExceptionForWrongTypeOfToken() {
+    assertThrows(IllegalArgumentException.class, () -> realm.doGetAuthenticationInfo(new UsernamePasswordToken()));
+  }
+
+  private Answer<AuthenticationInfo> createAnswer(String expectedSubject, String expectedCredentials, boolean scopeEmpty) {
+    return (iom) -> {
+      String subject = iom.getArgument(0);
+      assertThat(subject).isEqualTo(expectedSubject);
+      String credentials = iom.getArgument(1);
+      assertThat(credentials).isEqualTo(expectedCredentials);
+      Scope scope = iom.getArgument(2);
+      assertThat(scope.isEmpty()).isEqualTo(scopeEmpty);
+
+      return authenticationInfo;
+    };
+  }
+
+  private class MyAnswer implements Answer<AuthenticationInfo> {
+
+    @Override
+    public AuthenticationInfo answer(InvocationOnMock invocationOnMock) throws Throwable {
+      return null;
+    }
+  }
 }

scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenResolverTest.java

@@ -40,26 +40,27 @@ import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import io.jsonwebtoken.SignatureException;
 import io.jsonwebtoken.UnsupportedJwtException;
-import java.security.SecureRandom;
-import java.util.Date;
-import java.util.Set;
-import javax.crypto.spec.SecretKeySpec;
 import org.apache.shiro.authc.AuthenticationException;
 import org.hamcrest.Matchers;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import static org.hamcrest.Matchers.*;
 import org.junit.Before;
 import org.junit.Rule;
+import org.junit.Test;
 import org.junit.rules.ExpectedException;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
-import static org.mockito.Mockito.*;
-import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;
-
 import org.mockito.junit.MockitoJUnitRunner;
 
+import javax.crypto.spec.SecretKeySpec;
+import java.util.Date;
+import java.util.Set;
+
+import static org.hamcrest.Matchers.instanceOf;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThat;
+import static org.mockito.Mockito.when;
+import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;
+
 /**
  * Unit tests for {@link JwtAccessTokenResolver}.
  * 
@@ -71,13 +72,11 @@ public class JwtAccessTokenResolverTest {
   @Rule
   public ExpectedException expectedException = ExpectedException.none();
 
-  private final SecureRandom random = new SecureRandom();
-  
   @Mock
   private SecureKeyResolver keyResolver;
   
   @Mock
-  private TokenClaimsValidator validator;
+  private AccessTokenValidator validator;
   
   private JwtAccessTokenResolver resolver;
   
@@ -86,8 +85,8 @@ public class JwtAccessTokenResolverTest {
    */
   @Before
   public void prepareObjectUnderTest() {
-    Set<TokenClaimsValidator> validators = Sets.newHashSet(validator);
+    Set<AccessTokenValidator> validators = Sets.newHashSet(validator);
-    when(validator.validate(anyMap())).thenReturn(true);
+    when(validator.validate(Mockito.any(AccessToken.class))).thenReturn(true);
     resolver = new JwtAccessTokenResolver(keyResolver, validators);
   }
 
@@ -115,11 +114,11 @@ public class JwtAccessTokenResolverTest {
     String compact = createCompactToken("marvin", secureKey);
 
     // prepare mock
-    when(validator.validate(anyMap())).thenReturn(false);
+    when(validator.validate(Mockito.any(AccessToken.class))).thenReturn(false);
     
     // expect exception
     expectedException.expect(AuthenticationException.class);
-    expectedException.expectMessage(Matchers.containsString("claims"));
+    expectedException.expectMessage(Matchers.containsString("token"));
     
     BearerToken bearer = BearerToken.valueOf(compact);
     resolver.resolve(bearer);

scm-webapp/src/test/java/sonia/scm/security/XsrfAccessTokenValidatorTest.java

@@ -31,88 +31,90 @@
 
 package sonia.scm.security;
 
-import com.google.common.collect.Maps;
-import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
-import org.junit.Test;
-import static org.junit.Assert.*;
 import org.junit.Before;
+import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
-import static org.mockito.Mockito.*;
 import org.mockito.junit.MockitoJUnitRunner;
 
+import javax.servlet.http.HttpServletRequest;
+import java.util.Optional;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.when;
+
 /**
- * Tests {@link XsrfTokenClaimsValidator}.
+ * Tests {@link XsrfAccessTokenValidator}.
  * 
  * @author Sebastian Sdorra
  */
 @RunWith(MockitoJUnitRunner.class)
-public class XsrfTokenClaimsValidatorTest {
+public class XsrfAccessTokenValidatorTest {
 
   @Mock
   private HttpServletRequest request;
 
-  private XsrfTokenClaimsValidator validator;
+  @Mock
+  private AccessToken accessToken;
+
+  private XsrfAccessTokenValidator validator;
   
   /**
    * Prepare object under test.
    */
   @Before
   public void prepareObjectUnderTest() {
-    validator = new XsrfTokenClaimsValidator(() -> request);
+    validator = new XsrfAccessTokenValidator(() -> request);
   }
   
   /**
-   * Tests {@link XsrfTokenClaimsValidator#validate(java.util.Map)}.
+   * Tests {@link XsrfAccessTokenValidator#validate(AccessToken)}.
    */
   @Test
   public void testValidate() {
     // prepare
-    Map<String, Object> claims = Maps.newHashMap();
+    when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
-    claims.put(Xsrf.TOKEN_KEY, "abc");
     when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("abc");
     
     // execute and assert
-    assertTrue(validator.validate(claims));
+    assertTrue(validator.validate(accessToken));
   }
   
   /**
-   * Tests {@link XsrfTokenClaimsValidator#validate(java.util.Map)} with wrong header.
+   * Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} with wrong header.
    */
   @Test
   public void testValidateWithWrongHeader() {
     // prepare
-    Map<String, Object> claims = Maps.newHashMap();
+    when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
-    claims.put(Xsrf.TOKEN_KEY, "abc");
     when(request.getHeader(Xsrf.HEADER_KEY)).thenReturn("123");
     
     // execute and assert
-    assertFalse(validator.validate(claims));
+    assertFalse(validator.validate(accessToken));
   }
   
   /**
-   * Tests {@link XsrfTokenClaimsValidator#validate(java.util.Map)} without header.
+   * Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without header.
    */
   @Test
   public void testValidateWithoutHeader() {
     // prepare
-    Map<String, Object> claims = Maps.newHashMap();
+    when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.of("abc"));
-    claims.put(Xsrf.TOKEN_KEY, "abc");
     
     // execute and assert
-    assertFalse(validator.validate(claims));
+    assertFalse(validator.validate(accessToken));
   }
   
   /**
-   * Tests {@link XsrfTokenClaimsValidator#validate(java.util.Map)} without claims key.
+   * Tests {@link XsrfAccessTokenValidator#validate(AccessToken)} without claims key.
    */
   @Test
   public void testValidateWithoutClaimsKey() {
     // prepare
-    Map<String, Object> claims = Maps.newHashMap();
+    when(accessToken.getCustom(Xsrf.TOKEN_KEY)).thenReturn(Optional.empty());
     
     // execute and assert
-    assertTrue(validator.validate(claims));
+    assertTrue(validator.validate(accessToken));
   }
 }