Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixes from non OIDC standard tests #2625

Closed
wants to merge 1 commit into from
Closed

fixes from non OIDC standard tests #2625

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions model/src/main/java/org/cloudfoundry/identity/uaa/util/UaaStringUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;

import java.net.MalformedURLException;
Expand Down Expand Up @@ -317,4 +318,12 @@ public static String getSafeParameterValue(String[] value) {
}
return StringUtils.hasText(value[0]) ? value[0] : EMPTY_STRING;
}

public static Set<String> getArrayDefaultValue(Set<String> values, String defaultValue) {
if (ObjectUtils.isEmpty(values)) {
return Set.of(defaultValue);
} else {
return values;
}
}
}
7 changes: 7 additions & 0 deletions model/src/test/java/org/cloudfoundry/identity/uaa/util/UaaStringUtilsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,13 @@ void getSafeParameterValue() {
assertEquals("", UaaStringUtils.getSafeParameterValue(null));
}

@Test
void getArrayDefaultValue() {
assertEquals(Set.of("1", "2"), UaaStringUtils.getArrayDefaultValue(Set.of("1", "2"), "1"));
assertEquals(Set.of("1"), UaaStringUtils.getArrayDefaultValue(Set.of(), "1"));
assertEquals(Set.of("1"), UaaStringUtils.getArrayDefaultValue(null, "1"));
}

private static void replaceZoneVariables(IdentityZone zone) {
String s = "https://{zone.subdomain}.domain.com/z/{zone.id}?id={zone.id}&domain={zone.subdomain}";
String expect = String.format("https://%s.domain.com/z/%s?id=%s&domain=%s", zone.getSubdomain(), zone.getId(), zone.getId(), zone.getSubdomain());
Expand Down
3 changes: 2 additions & 1 deletion server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
import org.cloudfoundry.identity.uaa.util.TimeService;
import org.cloudfoundry.identity.uaa.util.JwtTokenSignedByThisUAA;
import org.cloudfoundry.identity.uaa.util.UaaSecurityContextUtils;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.MultitenantClientServices;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
Expand Down Expand Up @@ -550,7 +551,7 @@ private KeyInfo getActiveKeyInfo() {
claims.put(ZONE_ID,IdentityZoneHolder.get().getId());
}

claims.put(AUD, resourceIds);
claims.put(AUD, UaaStringUtils.getArrayDefaultValue(resourceIds, clientId));

for (String excludedClaim : getExcludedClaims()) {
claims.remove(excludedClaim);
Expand Down
4 changes: 2 additions & 2 deletions server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/HeaderParameters.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ public class HeaderParameters {
String cty;
@JsonProperty
@JsonInclude(Include.NON_NULL)
String jwk;
Object jwk;
@JsonProperty
@JsonInclude(Include.NON_NULL)
String x5u;
@JsonProperty
@JsonInclude(Include.NON_NULL)
String x5c;
Object x5c;
@JsonProperty
@JsonInclude(Include.NON_NULL)
String x5t;
Expand Down
3 changes: 2 additions & 1 deletion server/src/main/java/org/cloudfoundry/identity/uaa/oauth/refresh/RefreshTokenCreator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.TimeService;
import org.cloudfoundry.identity.uaa.util.JwtTokenSignedByThisUAA;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.cloudfoundry.identity.uaa.zone.TokenPolicy;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
Expand Down Expand Up @@ -88,7 +89,7 @@ private String buildJwtToken(UaaUser user,
claims.put(CLIENT_ID, tokenRequestData.clientId);
claims.put(ISS, tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()));
claims.put(ZONE_ID, IdentityZoneHolder.get().getId());
claims.put(AUD, tokenRequestData.resourceIds);
claims.put(AUD, UaaStringUtils.getArrayDefaultValue(tokenRequestData.resourceIds, tokenRequestData.clientId));
claims.put(GRANTED_SCOPES, tokenRequestData.scopes);

if (null != tokenRequestData.authenticationMethods && !tokenRequestData.authenticationMethods.isEmpty()) {
Expand Down
4 changes: 2 additions & 2 deletions server/src/test/java/org/cloudfoundry/identity/uaa/oauth/TokenTestSupport.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,8 +191,8 @@ public TokenTestSupport(UaaTokenEnhancer tokenEnhancer, KeyInfoService keyInfo)
IdentityZoneConfiguration config = new IdentityZoneConfiguration();
tokenPolicy = new TokenPolicy(accessTokenValidity, refreshTokenValidity);
Map<String, String> keys = new HashMap<>();
keys.put("testKey", "9c247h8yt978w3nv45y978w45hntv6");
keys.put("otherKey", "unc0uf98gv89egh4v98749978hv");
keys.put("testKey", "9c247h8yt978w3nv45y978w45hntv6210");
keys.put("otherKey", "unc0uf98gv89egh4v98749978hvy52oa");
tokenPolicy.setKeys(keys);
tokenPolicy.setActiveKeyId("testKey");
config.setTokenPolicy(tokenPolicy);
Expand Down
2 changes: 1 addition & 1 deletion ...va/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ void setUp() throws Exception {
IdentityZoneHolder.clear();
String keyName = "testKey";
header = map(
entry("alg", "HS256"),
entry("alg", "RS256"),
entry("kid", keyName),
entry("typ", "JWT")
);
Expand Down
23 changes: 13 additions & 10 deletions .../org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,11 +159,14 @@ public void getExternalAuthenticationDetails_whenProviderHasSigningKey_throwsWhe
expectedException.expectMessage("Could not verify token signature.");

Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, OIDC_PROVIDER_KEY)
);
Signer signer = new RsaSigner(changedOidcProviderTokenSigningKey);
Map<String, Object> claims = map(
entry(EXPIRY_IN_SECONDS, 0),
entry(AUD, "uaa-relying-party"),
entry(ISS, oidcConfig.getIssuer()),
entry(EMAIL, "someuser@google.com")
);
IdentityZoneHolder.get().getConfig().getTokenPolicy().setKeys(Collections.singletonMap("uaa-key", uaaIdentityZoneTokenSigningKey));
Expand All @@ -180,7 +183,7 @@ public void getExternalAuthenticationDetails_whenProviderIssuerMatchesUaaIssuer_
expectedException.expectMessage("Could not verify token signature.");

Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, "uaa-key")
);
Signer signer = new RsaSigner(oidcProviderTokenSigningKey);
Expand All @@ -197,7 +200,7 @@ public void getExternalAuthenticationDetails_whenProviderIssuerMatchesUaaIssuer_
@Test
public void getExternalAuthenticationDetails_doesNotThrowWhenIdTokenIsValid() {
Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, OIDC_PROVIDER_KEY)
);
Signer signer = new RsaSigner(oidcProviderTokenSigningKey);
Expand All @@ -220,7 +223,7 @@ public void getExternalAuthenticationDetails_doesNotThrowWhenIdTokenIsValid() {
public void getExternalAuthenticationDetails_whenUaaToken_doesNotThrowWhenIdTokenIsValid() {
oidcConfig.setIssuer(tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()));
Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, "uaa-key")
);
Signer signer = new RsaSigner(uaaIdentityZoneTokenSigningKey);
Expand All @@ -243,7 +246,7 @@ public void getExternalAuthenticationDetails_whenUaaToken_doesNotThrowWhenIdToke
public void getExternalAuthenticationDetails_whenUaaToken_mapRoleAsExplicitToScopeWhenIdTokenIsValid() {
oidcConfig.setIssuer(tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()));
Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, "uaa-key")
);
Signer signer = new RsaSigner(uaaIdentityZoneTokenSigningKey);
Expand Down Expand Up @@ -274,7 +277,7 @@ public void getExternalAuthenticationDetails_whenUaaToken_mapRoleAsExplicitToSco
public void getExternalAuthenticationDetails_whenUaaToken_mapRoleAsScopeToScopeWhenIdTokenIsValid() {
oidcConfig.setIssuer(tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()));
Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, "uaa-key")
);
Signer signer = new RsaSigner(uaaIdentityZoneTokenSigningKey);
Expand Down Expand Up @@ -307,7 +310,7 @@ public void getExternalAuthenticationDetails_whenUaaToken_mapRoleAsScopeToScopeW
public void getExternalAuthenticationDetails_whenUaaToken_mapRoleAsScopeToScopeWhenIdTokenIsValid_AndFilterManagerRolesOnly() {
oidcConfig.setIssuer(tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()));
Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, "uaa-key")
);
Signer signer = new RsaSigner(uaaIdentityZoneTokenSigningKey);
Expand Down Expand Up @@ -339,7 +342,7 @@ public void getExternalAuthenticationDetails_whenUaaToken_mapRoleAsScopeToScopeW
@Test
public void getUser_doesNotThrowWhenIdTokenMappingIsArray() {
Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, OIDC_PROVIDER_KEY)
);
Signer signer = new RsaSigner(oidcProviderTokenSigningKey);
Expand Down Expand Up @@ -374,7 +377,7 @@ public void getUser_doesNotThrowWhenIdTokenMappingIsArray() {
@Test
public void getUser_doesThrowWhenIdTokenMappingIsAmbiguous() {
Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, OIDC_PROVIDER_KEY)
);
Signer signer = new RsaSigner(oidcProviderTokenSigningKey);
Expand Down Expand Up @@ -402,7 +405,7 @@ public void getUser_doesThrowWhenIdTokenMappingIsAmbiguous() {
@Test
public void getUser_doesThrowWhenIdTokenMappingIsWrongType() {
Map<String, Object> header = map(
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()),
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
entry(HeaderParameterNames.KEY_ID, OIDC_PROVIDER_KEY)
);
Signer signer = new RsaSigner(oidcProviderTokenSigningKey);
Expand Down
9 changes: 8 additions & 1 deletion uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.GregorianCalendar;
Expand Down Expand Up @@ -4148,7 +4149,13 @@ private void validateOpenIdConnectToken(String token, String userId, String clie
assertEquals(tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()), iss);
String sub = (String) result.get(ClaimConstants.SUB);
assertEquals(userId, sub);
List<String> aud = (List<String>) result.get(ClaimConstants.AUD);
Object audObject = result.get(ClaimConstants.AUD);
List<String> aud = new ArrayList<>();
if (audObject instanceof Collection<?>) {
aud.addAll((List<String>) result.get(ClaimConstants.AUD));
} else if (audObject instanceof String audString) {
aud.add(audString);
}
assertTrue(aud.contains(clientId));
Integer exp = (Integer) result.get(ClaimConstants.EXPIRY_IN_SECONDS);
assertNotNull(exp);
Expand Down