diff --git a/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy deleted file mode 100644 index 1f4c03b8ac..0000000000 --- a/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy +++ /dev/null @@ -1,166 +0,0 @@ -package org.springframework.security.config.http - -import javax.servlet.http.HttpServletRequest -import org.springframework.beans.factory.parsing.BeanDefinitionParsingException -import org.springframework.mock.web.MockFilterChain -import org.springframework.mock.web.MockHttpServletRequest -import org.springframework.mock.web.MockHttpServletResponse -import org.springframework.security.config.BeanIds -import org.springframework.security.openid.OpenIDAuthenticationFilter -import org.springframework.security.openid.OpenIDAuthenticationToken -import org.springframework.security.openid.OpenIDConsumer -import org.springframework.security.openid.OpenIDConsumerException - -import org.springframework.security.web.access.ExceptionTranslationFilter -import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices -import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter - -import javax.servlet.Filter - -/** - * - * @author Luke Taylor - */ -class OpenIDConfigTests extends AbstractHttpConfigTests { - - def openIDAndFormLoginWorkTogether() { - xml.http() { - 'openid-login'() - 'form-login'() - } - createAppContext() - - def etf = getFilter(ExceptionTranslationFilter) - def ap = etf.getAuthenticationEntryPoint(); - - expect: - ap.loginFormUrl == "/login" - // Default login filter should be present since we haven't specified any login URLs - getFilter(DefaultLoginPageGeneratingFilter) != null - } - - def formLoginEntryPointTakesPrecedenceIfLoginUrlIsSet() { - xml.http() { - 'openid-login'() - 'form-login'('login-page': '/form-page') - } - createAppContext() - - expect: - getFilter(ExceptionTranslationFilter).authenticationEntryPoint.loginFormUrl == '/form-page' - } - - def openIDEntryPointTakesPrecedenceIfLoginUrlIsSet() { - xml.http() { - 'openid-login'('login-page': '/openid-page') - 'form-login'() - } - createAppContext() - - expect: - getFilter(ExceptionTranslationFilter).authenticationEntryPoint.loginFormUrl == '/openid-page' - } - - def multipleLoginPagesCausesError() { - when: - xml.http() { - 'openid-login'('login-page': '/openid-page') - 'form-login'('login-page': '/form-page') - } - createAppContext() - then: - thrown(BeanDefinitionParsingException) - } - - def openIDAndRememberMeWorkTogether() { - xml.debug() - xml.http() { - interceptUrl('/**', 'denyAll') - 'openid-login'() - 'remember-me'() - 'csrf'(disabled:true) - } - createAppContext() - - // Default login filter should be present since we haven't specified any login URLs - def loginFilter = getFilter(DefaultLoginPageGeneratingFilter) - def openIDFilter = getFilter(OpenIDAuthenticationFilter) - openIDFilter.setConsumer(new OpenIDConsumer() { - public String beginConsumption(HttpServletRequest req, String claimedIdentity, String returnToUrl, String realm) - throws OpenIDConsumerException { - return "http://testopenid.com?openid.return_to=" + returnToUrl; - } - - public OpenIDAuthenticationToken endConsumption(HttpServletRequest req) throws OpenIDConsumerException { - throw new UnsupportedOperationException(); - } - }) - Set returnToUrlParameters = new HashSet() - returnToUrlParameters.add(AbstractRememberMeServices.DEFAULT_PARAMETER) - openIDFilter.setReturnToUrlParameters(returnToUrlParameters) - assert loginFilter.openIDrememberMeParameter != null - - MockHttpServletRequest request = new MockHttpServletRequest(method:'GET'); - MockHttpServletResponse response = new MockHttpServletResponse(); - - when: "Initial request is made" - Filter fc = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN) - request.setServletPath("/something.html") - fc.doFilter(request, response, new MockFilterChain()) - then: "Redirected to login" - response.getRedirectedUrl().endsWith("/login") - when: "Login page is requested" - request.setServletPath("/login") - request.setRequestURI("/login") - response = new MockHttpServletResponse() - fc.doFilter(request, response, new MockFilterChain()) - then: "Remember-me choice is added to page" - response.getContentAsString().contains(AbstractRememberMeServices.DEFAULT_PARAMETER) - when: "Login is submitted with remember-me selected" - request.servletPath = "/login/openid" - request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://hey.openid.com/") - request.setParameter(AbstractRememberMeServices.DEFAULT_PARAMETER, "on") - response = new MockHttpServletResponse(); - fc.doFilter(request, response, new MockFilterChain()); - String expectedReturnTo = request.getRequestURL().append("?") - .append(AbstractRememberMeServices.DEFAULT_PARAMETER) - .append("=").append("on").toString(); - then: "return_to URL contains remember-me choice" - response.getRedirectedUrl() == "http://testopenid.com?openid.return_to=" + expectedReturnTo - } - - def openIDWithAttributeExchangeConfigurationIsParsedCorrectly() { - xml.http() { - 'openid-login'() { - 'attribute-exchange'() { - 'openid-attribute'(name: 'nickname', type: 'http://schema.openid.net/namePerson/friendly') - 'openid-attribute'(name: 'email', type: 'http://schema.openid.net/contact/email', required: 'true', - 'count': '2') - } - } - } - createAppContext() - - List attributes = getFilter(OpenIDAuthenticationFilter).consumer.attributesToFetchFactory.createAttributeList('http://someid') - - expect: - attributes.size() == 2 - attributes[0].name == 'nickname' - attributes[0].type == 'http://schema.openid.net/namePerson/friendly' - !attributes[0].required - attributes[1].required - attributes[1].getCount() == 2 - } - - def 'SEC-2919: DefaultLoginGeneratingFilter should not be present if login-page="/login"'() { - when: - xml.http() { - 'openid-login'('login-page':'/login') - } - createAppContext() - - then: - getFilter(DefaultLoginPageGeneratingFilter) == null - } - -} diff --git a/config/src/test/java/org/springframework/security/config/http/OpenIDConfigTests.java b/config/src/test/java/org/springframework/security/config/http/OpenIDConfigTests.java new file mode 100644 index 0000000000..07e81a2caf --- /dev/null +++ b/config/src/test/java/org/springframework/security/config/http/OpenIDConfigTests.java @@ -0,0 +1,223 @@ +/* + * Copyright 2002-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.config.http; + +import java.util.HashSet; +import java.util.Set; +import javax.servlet.Filter; +import javax.servlet.http.HttpServletRequest; + +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.Rule; +import org.junit.Test; +import org.openid4java.consumer.ConsumerManager; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.parsing.BeanDefinitionParsingException; +import org.springframework.security.config.test.SpringTestRule; +import org.springframework.security.openid.OpenID4JavaConsumer; +import org.springframework.security.openid.OpenIDAuthenticationFilter; +import org.springframework.security.openid.OpenIDConsumer; +import org.springframework.security.util.FieldUtils; +import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; +import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RestController; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatCode; +import static org.hamcrest.CoreMatchers.containsString; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; +import static org.openid4java.discovery.yadis.YadisResolver.YADIS_XRDS_LOCATION; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +/** + * Tests usage of the <openid-login> element + * + * @author Luke Taylor + */ +public class OpenIDConfigTests { + private static final String CONFIG_LOCATION_PREFIX = + "classpath:org/springframework/security/config/http/OpenIDConfigTests"; + + @Autowired + MockMvc mvc; + + @Rule + public final SpringTestRule spring = new SpringTestRule(); + + @Test + public void requestWhenOpenIDAndFormLoginBothConfiguredThenRedirectsToGeneratedLoginPage() + throws Exception { + + this.spring.configLocations(this.xml("WithFormLogin")).autowire(); + + this.mvc.perform(get("/")) + .andExpect(status().isFound()) + .andExpect(redirectedUrl("http://localhost/login")); + + assertThat(getFilter(DefaultLoginPageGeneratingFilter.class)).isNotNull(); + } + + @Test + public void requestWhenOpenIDAndFormLoginWithFormLoginPageConfiguredThenFormLoginPageWins() + throws Exception { + + this.spring.configLocations(this.xml("WithFormLoginPage")).autowire(); + + this.mvc.perform(get("/")) + .andExpect(status().isFound()) + .andExpect(redirectedUrl("http://localhost/form-page")); + } + + @Test + public void requestWhenOpenIDAndFormLoginWithOpenIDLoginPageConfiguredThenOpenIDLoginPageWins() + throws Exception { + + this.spring.configLocations(this.xml("WithOpenIDLoginPageAndFormLogin")).autowire(); + + this.mvc.perform(get("/")) + .andExpect(status().isFound()) + .andExpect(redirectedUrl("http://localhost/openid-page")); + } + + @Test + public void configureWhenOpenIDAndFormLoginBothConfigureLoginPagesThenWiringException() + throws Exception { + + assertThatCode(() -> this.spring.configLocations(this.xml("WithFormLoginAndOpenIDLoginPages")).autowire()) + .isInstanceOf(BeanDefinitionParsingException.class); + } + + @Test + public void requestWhenOpenIDAndRememberMeConfiguredThenRememberMePassedToIdp() + throws Exception { + + this.spring.configLocations(this.xml("WithRememberMe")).autowire(); + + OpenIDAuthenticationFilter openIDFilter = getFilter(OpenIDAuthenticationFilter.class); + + String openIdEndpointUrl = "http://testopenid.com?openid.return_to="; + Set returnToUrlParameters = new HashSet<>(); + returnToUrlParameters.add(AbstractRememberMeServices.DEFAULT_PARAMETER); + openIDFilter.setReturnToUrlParameters(returnToUrlParameters); + + OpenIDConsumer consumer = mock(OpenIDConsumer.class); + when(consumer.beginConsumption(any(HttpServletRequest.class), anyString(), anyString(), anyString())) + .then(invocation -> openIdEndpointUrl + invocation.getArgument(2)); + openIDFilter.setConsumer(consumer); + + String expectedReturnTo = new StringBuilder("http://localhost/login/openid").append("?") + .append(AbstractRememberMeServices.DEFAULT_PARAMETER) + .append("=").append("on").toString(); + + this.mvc.perform(get("/")) + .andExpect(status().isFound()) + .andExpect(redirectedUrl("http://localhost/login")); + + this.mvc.perform(get("/login")) + .andExpect(status().isOk()) + .andExpect(content().string(containsString(AbstractRememberMeServices.DEFAULT_PARAMETER))); + + this.mvc.perform(get("/login/openid") + .param(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://hey.openid.com/") + .param(AbstractRememberMeServices.DEFAULT_PARAMETER, "on")) + .andExpect(status().isFound()) + .andExpect(redirectedUrl(openIdEndpointUrl + expectedReturnTo)); + } + + @Test + public void requestWhenAttributeExchangeConfiguredThenFetchAttributesPassedToIdp() + throws Exception { + + this.spring.configLocations(this.xml("WithOpenIDAttributes")).autowire(); + + OpenIDAuthenticationFilter openIDFilter = getFilter(OpenIDAuthenticationFilter.class); + OpenID4JavaConsumer consumer = getFieldValue(openIDFilter, "consumer"); + ConsumerManager manager = getFieldValue(consumer, "consumerManager"); + manager.setMaxAssocAttempts(0); + + try ( MockWebServer server = new MockWebServer() ) { + String endpoint = server.url("/").toString(); + + server.enqueue(new MockResponse() + .addHeader(YADIS_XRDS_LOCATION, endpoint)); + server.enqueue(new MockResponse() + .setBody(String.format( + "%s", + endpoint))); + + this.mvc.perform(get("/login/openid") + .param(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, endpoint)) + .andExpect(status().isFound()) + .andExpect(result -> result.getResponse().getRedirectedUrl().endsWith( + "openid.ext1.type.nickname=http%3A%2F%2Fschema.openid.net%2FnamePerson%2Ffriendly&" + + "openid.ext1.if_available=nickname&" + + "openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&" + + "openid.ext1.required=email&" + + "openid.ext1.count.email=2")); + } + } + + /** + * SEC-2919 + */ + @Test + public void requestWhenLoginPageConfiguredWithPhraseLoginThenRedirectsOnlyToUserGeneratedLoginPage() + throws Exception { + + this.spring.configLocations(this.xml("Sec2919")).autowire(); + + assertThat(getFilter(DefaultLoginPageGeneratingFilter.class)).isNull(); + + this.mvc.perform(get("/login")) + .andExpect(status().isOk()) + .andExpect(content().string("a custom login page")); + } + + @RestController + static class CustomLoginController { + @GetMapping("/login") + public String custom() { + return "a custom login page"; + } + } + + private T getFilter(Class clazz) { + FilterChainProxy filterChain = this.spring.getContext().getBean(FilterChainProxy.class); + return (T) filterChain.getFilters("/").stream() + .filter(clazz::isInstance) + .findFirst() + .orElse(null); + } + + private String xml(String configName) { + return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml"; + } + + private static T getFieldValue(Object bean, String fieldName) throws IllegalAccessException { + return (T) FieldUtils.getFieldValue(bean, fieldName); + } +} diff --git a/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-Sec2919.xml b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-Sec2919.xml new file mode 100644 index 0000000000..db2e286975 --- /dev/null +++ b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-Sec2919.xml @@ -0,0 +1,36 @@ + + + + + + + + + + + + + + + diff --git a/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLogin.xml b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLogin.xml new file mode 100644 index 0000000000..331369ef87 --- /dev/null +++ b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLogin.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + diff --git a/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLoginAndOpenIDLoginPages.xml b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLoginAndOpenIDLoginPages.xml new file mode 100644 index 0000000000..de9bb8a134 --- /dev/null +++ b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLoginAndOpenIDLoginPages.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + diff --git a/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLoginPage.xml b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLoginPage.xml new file mode 100644 index 0000000000..cf84079b71 --- /dev/null +++ b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithFormLoginPage.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + diff --git a/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithOpenIDAttributes.xml b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithOpenIDAttributes.xml new file mode 100644 index 0000000000..9edaef345a --- /dev/null +++ b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithOpenIDAttributes.xml @@ -0,0 +1,36 @@ + + + + + + + + + + + + + + + + + diff --git a/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithOpenIDLoginPageAndFormLogin.xml b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithOpenIDLoginPageAndFormLogin.xml new file mode 100644 index 0000000000..a61ef9af0a --- /dev/null +++ b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithOpenIDLoginPageAndFormLogin.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + diff --git a/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithRememberMe.xml b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithRememberMe.xml new file mode 100644 index 0000000000..63108937bf --- /dev/null +++ b/config/src/test/resources/org/springframework/security/config/http/OpenIDConfigTests-WithRememberMe.xml @@ -0,0 +1,33 @@ + + + + + + + + + + + + + +