mirror of
https://github.com/scm-manager/scm-manager.git
synced 2025-11-09 15:05:44 +01:00
228 lines
7.1 KiB
Java
228 lines
7.1 KiB
Java
/*
|
|
* MIT License
|
|
*
|
|
* Copyright (c) 2020-present Cloudogu GmbH and Contributors
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in all
|
|
* copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
* SOFTWARE.
|
|
*/
|
|
|
|
package sonia.scm.security;
|
|
|
|
import com.google.common.collect.ImmutableList;
|
|
import com.google.common.collect.Sets;
|
|
import io.jsonwebtoken.Claims;
|
|
import io.jsonwebtoken.ExpiredJwtException;
|
|
import io.jsonwebtoken.JwsHeader;
|
|
import io.jsonwebtoken.Jwts;
|
|
import io.jsonwebtoken.SignatureAlgorithm;
|
|
import io.jsonwebtoken.SignatureException;
|
|
import io.jsonwebtoken.UnsupportedJwtException;
|
|
import org.apache.shiro.authc.AuthenticationException;
|
|
import org.hamcrest.Matchers;
|
|
import org.junit.Before;
|
|
import org.junit.Rule;
|
|
import org.junit.Test;
|
|
import org.junit.rules.ExpectedException;
|
|
import org.junit.runner.RunWith;
|
|
import org.mockito.Mock;
|
|
import org.mockito.Mockito;
|
|
import org.mockito.junit.MockitoJUnitRunner;
|
|
|
|
import javax.crypto.spec.SecretKeySpec;
|
|
import java.util.Date;
|
|
import java.util.Set;
|
|
|
|
import static org.hamcrest.Matchers.instanceOf;
|
|
import static org.junit.Assert.assertEquals;
|
|
import static org.junit.Assert.assertThat;
|
|
import static org.mockito.Mockito.when;
|
|
import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;
|
|
|
|
/**
|
|
* Unit tests for {@link JwtAccessTokenResolver}.
|
|
*
|
|
* @author Sebastian Sdorra
|
|
*/
|
|
@RunWith(MockitoJUnitRunner.class)
|
|
public class JwtAccessTokenResolverTest {
|
|
|
|
@Rule
|
|
public ExpectedException expectedException = ExpectedException.none();
|
|
|
|
@Mock
|
|
private SecureKeyResolver keyResolver;
|
|
|
|
@Mock
|
|
private AccessTokenValidator validator;
|
|
|
|
private JwtAccessTokenResolver resolver;
|
|
|
|
/**
|
|
* Prepares the object under test.
|
|
*/
|
|
@Before
|
|
public void prepareObjectUnderTest() {
|
|
Set<AccessTokenValidator> validators = Sets.newHashSet(validator);
|
|
when(validator.validate(Mockito.any(AccessToken.class))).thenReturn(true);
|
|
resolver = new JwtAccessTokenResolver(keyResolver, validators);
|
|
}
|
|
|
|
/**
|
|
* Tests {@link JwtAccessTokenResolver#resolve(BearerToken)}.
|
|
*/
|
|
@Test
|
|
public void testResolve() {
|
|
SecureKey secureKey = createSecureKey();
|
|
resolveKey(secureKey);
|
|
String compact = createCompactToken("marvin", secureKey);
|
|
|
|
BearerToken bearer = BearerToken.valueOf(compact);
|
|
JwtAccessToken access = resolver.resolve(bearer);
|
|
assertEquals("marvin", access.getSubject());
|
|
}
|
|
|
|
/**
|
|
* Tests {@link JwtAccessTokenResolver#resolve(BearerToken)} with a failed validator.
|
|
*/
|
|
@Test
|
|
public void testResolveWithFailedValidator() {
|
|
SecureKey secureKey = createSecureKey();
|
|
resolveKey(secureKey);
|
|
String compact = createCompactToken("marvin", secureKey);
|
|
|
|
// prepare mock
|
|
when(validator.validate(Mockito.any(AccessToken.class))).thenReturn(false);
|
|
|
|
// expect exception
|
|
expectedException.expect(AuthenticationException.class);
|
|
expectedException.expectMessage(Matchers.containsString("token"));
|
|
|
|
BearerToken bearer = BearerToken.valueOf(compact);
|
|
resolver.resolve(bearer);
|
|
}
|
|
|
|
/**
|
|
* Tests {@link JwtAccessTokenResolver#resolve(BearerToken)} with a expired token.
|
|
*/
|
|
@Test
|
|
public void testResolveWithExpiredToken() {
|
|
SecureKey secureKey = createSecureKey();
|
|
resolveKey(secureKey);
|
|
|
|
// create expired token
|
|
Date exp = new Date(System.currentTimeMillis() - 600l);
|
|
String compact = createCompactToken("trillian", secureKey, exp, Scope.empty());
|
|
|
|
// expect exception
|
|
expectedException.expect(TokenExpiredException.class);
|
|
expectedException.expectCause(instanceOf(ExpiredJwtException.class));
|
|
|
|
BearerToken bearer = BearerToken.valueOf(compact);
|
|
resolver.resolve(bearer);
|
|
}
|
|
|
|
/**
|
|
* Tests {@link JwtAccessTokenResolver#resolve(BearerToken)} with invalid signature.
|
|
*/
|
|
@Test
|
|
public void testResolveWithInvalidSignature() {
|
|
resolveKey(createSecureKey());
|
|
|
|
// create expired token
|
|
String compact = createCompactToken("trillian", createSecureKey());
|
|
|
|
// expect exception
|
|
expectedException.expect(AuthenticationException.class);
|
|
expectedException.expectCause(instanceOf(SignatureException.class));
|
|
|
|
BearerToken bearer = BearerToken.valueOf(compact);
|
|
resolver.resolve(bearer);
|
|
}
|
|
|
|
/**
|
|
* Tests {@link JwtAccessTokenResolver#resolve(BearerToken)} without signature.
|
|
*/
|
|
@Test
|
|
public void testResolveWithoutSignature() {
|
|
String compact = Jwts.builder().setSubject("test").compact();
|
|
|
|
// expect exception
|
|
expectedException.expect(AuthenticationException.class);
|
|
expectedException.expectCause(instanceOf(UnsupportedJwtException.class));
|
|
|
|
BearerToken bearer = BearerToken.valueOf(compact);
|
|
resolver.resolve(bearer);
|
|
}
|
|
|
|
/**
|
|
* Tests {@link JwtAccessTokenResolver#resolve(BearerToken)} with scope.
|
|
*/
|
|
@Test
|
|
public void testResolveWithScope() {
|
|
SecureKey key = createSecureKey();
|
|
resolveKey(key);
|
|
|
|
String compact = createCompactToken(
|
|
"marvin",
|
|
key,
|
|
new Date(System.currentTimeMillis() + 60000),
|
|
Scope.valueOf("repo:*", "user:*")
|
|
);
|
|
|
|
BearerToken bearer = BearerToken.valueOf(compact);
|
|
AccessToken access = resolver.resolve(bearer);
|
|
Scope scope = access.getScope();
|
|
assertThat(scope, Matchers.containsInAnyOrder("repo:*", "user:*"));
|
|
}
|
|
|
|
private String createCompactToken(String subject, SecureKey key) {
|
|
return createCompactToken(subject, key, Scope.empty());
|
|
}
|
|
|
|
private String createCompactToken(String subject, SecureKey key, Scope scope) {
|
|
return createCompactToken(subject, key, new Date(System.currentTimeMillis() + 60000), scope);
|
|
}
|
|
|
|
private String createCompactToken(String subject, SecureKey key, Date exp, Scope scope) {
|
|
return Jwts.builder()
|
|
.claim(Scopes.CLAIMS_KEY, ImmutableList.copyOf(scope))
|
|
.setSubject(subject)
|
|
.setExpiration(exp)
|
|
.signWith(SignatureAlgorithm.HS256, key.getBytes())
|
|
.compact();
|
|
}
|
|
|
|
private void resolveKey(SecureKey key) {
|
|
when(
|
|
keyResolver.resolveSigningKey(
|
|
Mockito.any(JwsHeader.class),
|
|
Mockito.any(Claims.class)
|
|
)
|
|
)
|
|
.thenReturn(
|
|
new SecretKeySpec(
|
|
key.getBytes(),
|
|
SignatureAlgorithm.HS256.getJcaName()
|
|
)
|
|
);
|
|
}
|
|
|
|
|
|
}
|