/** * Copyright (c) 2014, Sebastian Sdorra * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * 3. Neither the name of SCM-Manager; nor the names of its * contributors may be used to endorse or promote products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * http://bitbucket.org/sdorra/scm-manager * */ package sonia.scm.security; //~--- non-JDK imports -------------------------------------------------------- import com.google.common.collect.ImmutableList; import com.google.common.collect.Sets; import io.jsonwebtoken.Claims; import io.jsonwebtoken.JwsHeader; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.PrincipalCollection; import org.hamcrest.Matchers; import org.junit.Before; import org.junit.Rule; import org.junit.Test; import org.junit.rules.ExpectedException; import org.junit.runner.RunWith; import org.mockito.InjectMocks; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.junit.MockitoJUnitRunner; import sonia.scm.group.GroupDAO; import sonia.scm.user.User; import sonia.scm.user.UserDAO; import sonia.scm.user.UserTestData; import javax.crypto.spec.SecretKeySpec; import java.util.Date; import java.util.Set; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; import static org.mockito.Mockito.any; import static org.mockito.Mockito.when; import static sonia.scm.security.SecureKeyTestUtil.createSecureKey; /** * Unit tests for {@link BearerRealm}. * * @author Sebastian Sdorra */ @SuppressWarnings("unchecked") @RunWith(MockitoJUnitRunner.class) public class BearerRealmTest { @Rule public ExpectedException expectedException = ExpectedException.none(); /** * Method description * */ @Test public void testDoGetAuthenticationInfo() { SecureKey key = createSecureKey(); User marvin = UserTestData.createMarvin(); when(userDAO.get(marvin.getName())).thenReturn(marvin); resolveKey(key); String compact = createCompactToken(marvin.getName(), key); BearerToken token = BearerToken.valueOf(compact); AuthenticationInfo info = realm.doGetAuthenticationInfo(token); assertNotNull(info); PrincipalCollection principals = info.getPrincipals(); assertEquals(marvin.getName(), principals.getPrimaryPrincipal()); assertEquals(marvin, principals.oneByType(User.class)); assertNotNull(principals.oneByType(Scope.class)); assertTrue(principals.oneByType(Scope.class).isEmpty()); } /** * Test {@link BearerRealm#doGetAuthenticationInfo(AuthenticationToken)} with scope. * */ @Test public void testDoGetAuthenticationInfoWithScope() { SecureKey key = createSecureKey(); User marvin = UserTestData.createMarvin(); when(userDAO.get(marvin.getName())).thenReturn(marvin); resolveKey(key); String compact = createCompactToken( marvin.getName(), key, new Date(System.currentTimeMillis() + 60000), Scope.valueOf("repo:*", "user:*") ); AuthenticationInfo info = realm.doGetAuthenticationInfo(BearerToken.valueOf(compact)); Scope scope = info.getPrincipals().oneByType(Scope.class); assertThat(scope, Matchers.containsInAnyOrder("repo:*", "user:*")); } /** * Test {@link BearerRealm#doGetAuthenticationInfo(AuthenticationToken)} with a failed * claims validation. */ @Test public void testDoGetAuthenticationInfoWithInvalidClaims() { SecureKey key = createSecureKey(); User marvin = UserTestData.createMarvin(); resolveKey(key); String compact = createCompactToken(marvin.getName(), key); // treat claims as invalid when(validator.validate(Mockito.anyMap())).thenReturn(false); // expect exception expectedException.expect(AuthenticationException.class); expectedException.expectMessage(Matchers.containsString("claims")); // kick authentication realm.doGetAuthenticationInfo(BearerToken.valueOf(compact)); } /** * Method description * */ @Test(expected = AuthenticationException.class) public void testDoGetAuthenticationInfoWithExpiredToken() { User trillian = UserTestData.createTrillian(); SecureKey key = createSecureKey(); resolveKey(key); Date exp = new Date(System.currentTimeMillis() - 600l); String compact = createCompactToken(trillian.getName(), key, exp, Scope.empty()); realm.doGetAuthenticationInfo(BearerToken.valueOf(compact)); } /** * Method description * */ @Test(expected = AuthenticationException.class) public void testDoGetAuthenticationInfoWithInvalidSignature() { resolveKey(createSecureKey()); User trillian = UserTestData.createTrillian(); String compact = createCompactToken(trillian.getName(), createSecureKey()); realm.doGetAuthenticationInfo(BearerToken.valueOf(compact)); } /** * Method description * */ @Test(expected = AuthenticationException.class) public void testDoGetAuthenticationInfoWithoutSignature() { String compact = Jwts.builder().setSubject("test").compact(); realm.doGetAuthenticationInfo(BearerToken.valueOf(compact)); } /** * Method description * */ @Test(expected = IllegalArgumentException.class) public void testDoGetAuthenticationInfoWrongToken() { realm.doGetAuthenticationInfo(new UsernamePasswordToken("test", "test")); } //~--- set methods ---------------------------------------------------------- /** * Method description * */ @Before public void setUp() { when(validator.validate(Mockito.anyMap())).thenReturn(true); Set validators = Sets.newHashSet(validator); realm = new BearerRealm(helperFactory, keyResolver, validators); } //~--- methods -------------------------------------------------------------- private String createCompactToken(String subject, SecureKey key) { return createCompactToken(subject, key, Scope.empty()); } private String createCompactToken(String subject, SecureKey key, Scope scope) { return createCompactToken(subject, key, new Date(System.currentTimeMillis() + 60000), scope); } private String createCompactToken(String subject, SecureKey key, Date exp, Scope scope) { return Jwts.builder() .claim(Scopes.CLAIMS_KEY, ImmutableList.copyOf(scope)) .setSubject(subject) .setExpiration(exp) .signWith(SignatureAlgorithm.HS256, key.getBytes()) .compact(); } private void resolveKey(SecureKey key) { when( keyResolver.resolveSigningKey( any(JwsHeader.class), any(Claims.class) ) ) .thenReturn( new SecretKeySpec( key.getBytes(), SignatureAlgorithm.HS256.getJcaName() ) ); } //~--- fields --------------------------------------------------------------- @InjectMocks private DAORealmHelperFactory helperFactory; @Mock private LoginAttemptHandler loginAttemptHandler; @Mock private TokenClaimsValidator validator; /** Field description */ @Mock private GroupDAO groupDAO; /** Field description */ @Mock private SecureKeyResolver keyResolver; /** Field description */ private BearerRealm realm; /** Field description */ @Mock private UserDAO userDAO; }