From a9bc384b48f013b5586bf2756eb61983d2100fad Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 16 Jul 2018 14:19:23 -0600 Subject: [PATCH] Reliable Error State Tests Some of Resource Server Configurer's tests were relying on specific error messaging from Nimbus and from the JDK, which makes them brittle. These tests now simply confirm that resource server responses contain the correct error state without relying on specific wording outside of our control. --- .../OAuth2ResourceServerConfigurerTests.java | 48 ++++++++++++------- 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java index 4f58b09896..5d3291b048 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java @@ -25,6 +25,10 @@ import javax.annotation.PreDestroy; import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockWebServer; +import org.hamcrest.core.AllOf; +import org.hamcrest.core.StringContains; +import org.hamcrest.core.StringEndsWith; +import org.hamcrest.core.StringStartsWith; import org.junit.Rule; import org.junit.Test; @@ -115,7 +119,7 @@ public class OAuth2ResourceServerConfigurerTests { this.mvc.perform(get("/").with(bearerToken(token))) .andExpect(status().isUnauthorized()) - .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt: Expired JWT")); + .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt")); } @Test @@ -141,8 +145,7 @@ public class OAuth2ResourceServerConfigurerTests { this.mvc.perform(get("/").with(bearerToken(token))) .andExpect(status().isUnauthorized()) - .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt: " + - "Couldn't retrieve remote JWK set: Connection refused (Connection refused)")); + .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt")); } @Test @@ -166,8 +169,7 @@ public class OAuth2ResourceServerConfigurerTests { this.mvc.perform(get("/").with(bearerToken(token))) .andExpect(status().isUnauthorized()) - .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt: " + - "Malformed payload")); + .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt: Malformed payload")); } @Test @@ -192,8 +194,7 @@ public class OAuth2ResourceServerConfigurerTests { this.mvc.perform(get("/").with(bearerToken(token))) .andExpect(status().isUnauthorized()) - .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt: " + - "JWT before use time")); + .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt")); } @Test @@ -313,8 +314,7 @@ public class OAuth2ResourceServerConfigurerTests { this.mvc.perform(get("/") .with(bearerToken(token))) .andExpect(status().isUnauthorized()) - .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt: " + - "Signed JWT rejected: Another algorithm expected, or no matching key(s) found")); + .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt")); } @Test @@ -456,7 +456,7 @@ public class OAuth2ResourceServerConfigurerTests { this.mvc.perform(post("/authenticated") .with(bearerToken(token))) .andExpect(status().isUnauthorized()) - .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt: Expired JWT")); + .andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt")); } // -- Resource Server should not create sessions @@ -785,17 +785,29 @@ public class OAuth2ResourceServerConfigurerTests { } private static ResultMatcher invalidRequestHeader(String message) { - return header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer " + - "error=\"invalid_request\", " + - "error_description=\"" + message + "\", " + - "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\""); + return header().string(HttpHeaders.WWW_AUTHENTICATE, + AllOf.allOf( + new StringStartsWith("Bearer " + + "error=\"invalid_request\", " + + "error_description=\""), + new StringContains(message), + new StringEndsWith(", " + + "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"") + ) + ); } private static ResultMatcher invalidTokenHeader(String message) { - return header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer " + - "error=\"invalid_token\", " + - "error_description=\"" + message + "\", " + - "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\""); + return header().string(HttpHeaders.WWW_AUTHENTICATE, + AllOf.allOf( + new StringStartsWith("Bearer " + + "error=\"invalid_token\", " + + "error_description=\""), + new StringContains(message), + new StringEndsWith(", " + + "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"") + ) + ); } private static ResultMatcher insufficientScopeHeader(String scope) {