Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish oauth2-jose format 

Issue gh-8945
This commit is contained in:
Rob Winch 2020-08-24 09:49:41 -05:00
parent a729d24d47
commit d5ae4337e3
15 changed files with 849 additions and 229 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java
View File

@ -100,18 +100,27 @@ final class JwtDecoderProviderConfigurationUtils {
}
private static URI oidc(URI issuer) {
return UriComponentsBuilder.fromUri(issuer).replacePath(issuer.getPath() + OIDC_METADATA_PATH)
// @formatter:off
return UriComponentsBuilder.fromUri(issuer)
.replacePath(issuer.getPath() + OIDC_METADATA_PATH)
.build(Collections.emptyMap());
// @formatter:on
}
private static URI oidcRfc8414(URI issuer) {
return UriComponentsBuilder.fromUri(issuer).replacePath(OIDC_METADATA_PATH + issuer.getPath())
// @formatter:off
return UriComponentsBuilder.fromUri(issuer)
.replacePath(OIDC_METADATA_PATH + issuer.getPath())
.build(Collections.emptyMap());
// @formatter:on
}
private static URI oauth(URI issuer) {
return UriComponentsBuilder.fromUri(issuer).replacePath(OAUTH_METADATA_PATH + issuer.getPath())
// @formatter:off
return UriComponentsBuilder.fromUri(issuer)
.replacePath(OAUTH_METADATA_PATH + issuer.getPath())
.build(Collections.emptyMap());
// @formatter:on
}
}

7
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java
View File

@ -147,7 +147,12 @@ public final class NimbusJwtDecoder implements JwtDecoder {
JWTClaimsSet jwtClaimsSet = this.jwtProcessor.process(parsedJwt, null);
Map<String, Object> headers = new LinkedHashMap<>(parsedJwt.getHeader().toJSONObject());
Map<String, Object> claims = this.claimSetConverter.convert(jwtClaimsSet.getClaims());
return Jwt.withTokenValue(token).headers((h) -> h.putAll(headers)).claims((c) -> c.putAll(claims)).build();
// @formatter:off
return Jwt.withTokenValue(token)
.headers((h) -> h.putAll(headers))
.claims((c) -> c.putAll(claims))
.build();
// @formatter:on
}
catch (RemoteKeySourceException ex) {
if (ex.getCause() instanceof ParseException) {

5
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.java
View File

@ -159,10 +159,13 @@ public final class NimbusReactiveJwtDecoder implements ReactiveJwtDecoder {
private Mono<Jwt> decode(JWT parsedToken) {
try {
return this.jwtProcessor.convert(parsedToken).map((set) -> createJwt(parsedToken, set))
// @formatter:off
return this.jwtProcessor.convert(parsedToken)
.map((set) -> createJwt(parsedToken, set))
.map(this::validateJwt)
.onErrorMap((ex) -> !(ex instanceof IllegalStateException) && !(ex instanceof JwtException),
(ex) -> new JwtException("An error occurred while attempting to decode the Jwt: ", ex));
// @formatter:on
}
catch (JwtException ex) {
throw ex;

22
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/ReactiveRemoteJWKSource.java
View File

@ -54,9 +54,14 @@ class ReactiveRemoteJWKSource implements ReactiveJWKSource {
@Override
public Mono<List<JWK>> get(JWKSelector jwkSelector) {
return this.cachedJWKSet.get().switchIfEmpty(Mono.defer(() -> getJWKSet()))
// @formatter:off
return this.cachedJWKSet.get()
.switchIfEmpty(Mono.defer(() -> getJWKSet()))
.flatMap((jwkSet) -> get(jwkSelector, jwkSet))
.switchIfEmpty(Mono.defer(() -> getJWKSet().map((jwkSet) -> jwkSelector.select(jwkSet))));
.switchIfEmpty(Mono.defer(() -> getJWKSet()
.map((jwkSet) -> jwkSelector.select(jwkSet)))
);
// @formatter:on
}
private Mono<List<JWK>> get(JWKSelector jwkSelector, JWKSet jwkSet) {
@ -89,8 +94,17 @@ class ReactiveRemoteJWKSource implements ReactiveJWKSource {
* @throws RemoteKeySourceException If JWK retrieval failed.
*/
private Mono<JWKSet> getJWKSet() {
return this.webClient.get().uri(this.jwkSetURL).retrieve().bodyToMono(String.class).map(this::parse)
.doOnNext((jwkSet) -> this.cachedJWKSet.set(Mono.just(jwkSet))).cache();
// @formatter:off
return this.webClient.get()
.uri(this.jwkSetURL)
.retrieve()
.bodyToMono(String.class)
.map(this::parse)
.doOnNext((jwkSet) -> this.cachedJWKSet
.set(Mono.just(jwkSet))
)
.cache();
// @formatter:on
}
private JWKSet parse(String body) {

11
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jose/TestKeys.java
View File

@ -48,12 +48,15 @@ public final class TestKeys {
public static final SecretKey DEFAULT_SECRET_KEY = new SecretKeySpec(
Base64.getDecoder().decode(DEFAULT_ENCODED_SECRET_KEY), "AES");
// @formatter:off
public static final String DEFAULT_RSA_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3FlqJr5TRskIQIgdE3Dd"
+ "7D9lboWdcTUT8a+fJR7MAvQm7XXNoYkm3v7MQL1NYtDvL2l8CAnc0WdSTINU6IRv"
+ "c5Kqo2Q4csNX9SHOmEfzoROjQqahEcve1jBXluoCXdYuYpx4/1tfRgG6ii4Uhxh6"
+ "iI8qNMJQX+fLfqhbfYfxBQVRPywBkAbIP4x1EAsbC6FSNmkhCxiMNqEgxaIpY8C2"
+ "kJdJ/ZIV+WW4noDdzpKqHcwmB8FsrumlVY/DNVvUSDIipiq9PbP4H99TXN1o746o"
+ "RaNa07rq1hoCgMSSy+85SagCoxlmyE+D+of9SsMY8Ol9t0rdzpobBuhyJ/o5dfvj" + "KwIDAQAB";
+ "RaNa07rq1hoCgMSSy+85SagCoxlmyE+D+of9SsMY8Ol9t0rdzpobBuhyJ/o5dfvj"
+ "KwIDAQAB";
// @formatter:on
public static final RSAPublicKey DEFAULT_PUBLIC_KEY;
static {
@ -65,6 +68,8 @@ public final class TestKeys {
throw new IllegalArgumentException(ex);
}
}
// @formatter:off
public static final String DEFAULT_RSA_PRIVATE_KEY = "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDcWWomvlNGyQhA"
+ "iB0TcN3sP2VuhZ1xNRPxr58lHswC9Cbtdc2hiSbe/sxAvU1i0O8vaXwICdzRZ1JM"
+ "g1TohG9zkqqjZDhyw1f1Ic6YR/OhE6NCpqERy97WMFeW6gJd1i5inHj/W19GAbqK"
@ -89,7 +94,9 @@ public final class TestKeys {
+ "FiGm+mC/skFS0MWgW8evaHGDbWU180wheQ35hW6oKAb7myRHtr4q20ouEtQMdQIF"
+ "snV39G1iyqeeAsf7dxWElydXpRi2b68i3BIgzhzebQKBgQCdUQuTsqV9y/JFpu6H"
+ "c5TVvhG/ubfBspI5DhQqIGijnVBzFT//UfIYMSKJo75qqBEyP2EJSmCsunWsAFsM"
+ "TszuiGTkrKcZy9G0wJqPztZZl2F2+bJgnA6nBEV7g5PA4Af+QSmaIhRwqGDAuROR" + "47jndeyIaMTNETEmOnms+as17g==";
+ "TszuiGTkrKcZy9G0wJqPztZZl2F2+bJgnA6nBEV7g5PA4Af+QSmaIhRwqGDAuROR"
+ "47jndeyIaMTNETEmOnms+as17g==";
// @formatter:on
public static final RSAPrivateKey DEFAULT_PRIVATE_KEY;
static {

65
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtBuilderTests.java
View File

@ -34,9 +34,18 @@ public class JwtBuilderTests {
@Test
public void buildWhenCalledTwiceThenGeneratesTwoJwts() {
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token");
Jwt first = jwtBuilder.tokenValue("V1").header("TEST_HEADER_1", "H1").claim("TEST_CLAIM_1", "C1").build();
Jwt second = jwtBuilder.tokenValue("V2").header("TEST_HEADER_1", "H2").header("TEST_HEADER_2", "H3")
.claim("TEST_CLAIM_1", "C2").claim("TEST_CLAIM_2", "C3").build();
// @formatter:off
Jwt first = jwtBuilder.tokenValue("V1")
.header("TEST_HEADER_1", "H1")
.claim("TEST_CLAIM_1", "C1")
.build();
Jwt second = jwtBuilder.tokenValue("V2")
.header("TEST_HEADER_1", "H2")
.header("TEST_HEADER_2", "H3")
.claim("TEST_CLAIM_1", "C2")
.claim("TEST_CLAIM_2", "C3")
.build();
// @formatter:on
assertThat(first.getHeaders()).hasSize(1);
assertThat(first.getHeaders().get("TEST_HEADER_1")).isEqualTo("H1");
assertThat(first.getClaims()).hasSize(1);
@ -53,7 +62,10 @@ public class JwtBuilderTests {
@Test
public void expiresAtWhenUsingGenericOrNamedClaimMethodRequiresInstant() {
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token").header("needs", "a header");
// @formatter:off
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token")
.header("needs", "a header");
// @formatter:on
Instant now = Instant.now();
Jwt jwt = jwtBuilder.expiresAt(now).build();
assertThat(jwt.getExpiresAt()).isSameAs(now);
@ -65,7 +77,10 @@ public class JwtBuilderTests {
@Test
public void issuedAtWhenUsingGenericOrNamedClaimMethodRequiresInstant() {
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token").header("needs", "a header");
// @formatter:off
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token")
.header("needs", "a header");
// @formatter:on
Instant now = Instant.now();
Jwt jwt = jwtBuilder.issuedAt(now).build();
assertThat(jwt.getIssuedAt()).isSameAs(now);
@ -77,7 +92,10 @@ public class JwtBuilderTests {
@Test
public void subjectWhenUsingGenericOrNamedClaimMethodThenLastOneWins() {
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token").header("needs", "a header");
// @formatter:off
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token")
.header("needs", "a header");
// @formatter:on
String generic = new String("sub");
String named = new String("sub");
Jwt jwt = jwtBuilder.subject(named).claim(JwtClaimNames.SUB, generic).build();
@ -88,14 +106,23 @@ public class JwtBuilderTests {
@Test
public void claimsWhenRemovingAClaimThenIsNotPresent() {
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token").claim("needs", "a claim").header("needs", "a header");
Jwt jwt = jwtBuilder.subject("sub").claims((claims) -> claims.remove(JwtClaimNames.SUB)).build();
// @formatter:off
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token")
.claim("needs", "a claim")
.header("needs", "a header");
Jwt jwt = jwtBuilder.subject("sub")
.claims((claims) -> claims.remove(JwtClaimNames.SUB))
.build();
// @formatter:on
assertThat(jwt.getSubject()).isNull();
}
@Test
public void claimsWhenAddingAClaimThenIsPresent() {
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token").header("needs", "a header");
// @formatter:off
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token")
.header("needs", "a header");
// @formatter:on
String name = new String("name");
String value = new String("value");
Jwt jwt = jwtBuilder.claims((claims) -> claims.put(name, value)).build();
@ -105,17 +132,29 @@ public class JwtBuilderTests {
@Test
public void headersWhenRemovingAClaimThenIsNotPresent() {
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token").claim("needs", "a claim").header("needs", "a header");
Jwt jwt = jwtBuilder.header("alg", "none").headers((headers) -> headers.remove("alg")).build();
// @formatter:off
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token")
.claim("needs", "a claim")
.header("needs", "a header");
Jwt jwt = jwtBuilder.header("alg", "none")
.headers((headers) -> headers.remove("alg"))
.build();
// @formatter:on
assertThat(jwt.getHeaders().get("alg")).isNull();
}
@Test
public void headersWhenAddingAClaimThenIsPresent() {
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token").claim("needs", "a claim");
// @formatter:off
Jwt.Builder jwtBuilder = Jwt.withTokenValue("token")
.claim("needs", "a claim");
// @formatter:on
String name = new String("name");
String value = new String("value");
Jwt jwt = jwtBuilder.headers((headers) -> headers.put(name, value)).build();
// @formatter:off
Jwt jwt = jwtBuilder.headers((headers) -> headers.put(name, value))
.build();
// @formatter:on
assertThat(jwt.getHeaders()).hasSize(1);
assertThat(jwt.getHeaders().get(name)).isSameAs(value);
}

136
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecodersTests.java
View File

@ -55,15 +55,30 @@ public class JwtDecodersTests {
* Contains those parameters required to construct a JwtDecoder as well as any
* required parameters
*/
// @formatter:off
private static final String DEFAULT_RESPONSE_TEMPLATE = "{\n"
+ " \"authorization_endpoint\": \"https://example.com/o/oauth2/v2/auth\", \n"
+ " \"id_token_signing_alg_values_supported\": [\n" + " \"RS256\"\n" + " ], \n"
+ " \"issuer\": \"%s\", \n" + " \"jwks_uri\": \"%s/.well-known/jwks.json\", \n"
+ " \"response_types_supported\": [\n" + " \"code\", \n" + " \"token\", \n"
+ " \"id_token\", \n" + " \"code token\", \n" + " \"code id_token\", \n"
+ " \"token id_token\", \n" + " \"code token id_token\", \n" + " \"none\"\n"
+ " ], \n" + " \"subject_types_supported\": [\n" + " \"public\"\n" + " ], \n"
+ " \"token_endpoint\": \"https://example.com/oauth2/v4/token\"\n" + "}";
+ " \"id_token_signing_alg_values_supported\": [\n"
+ " \"RS256\"\n"
+ " ], \n"
+ " \"issuer\": \"%s\", \n"
+ " \"jwks_uri\": \"%s/.well-known/jwks.json\", \n"
+ " \"response_types_supported\": [\n"
+ " \"code\", \n"
+ " \"token\", \n"
+ " \"id_token\", \n"
+ " \"code token\", \n"
+ " \"code id_token\", \n"
+ " \"token id_token\", \n"
+ " \"code token id_token\", \n"
+ " \"none\"\n"
+ " ], \n"
+ " \"subject_types_supported\": [\n"
+ " \"public\"\n"
+ " ], \n"
+ " \"token_endpoint\": \"https://example.com/oauth2/v4/token\"\n"
+ "}";
// @formatter:on
private static final String JWK_SET = "{\"keys\":[{\"p\":\"49neceJFs8R6n7WamRGy45F5Tv0YM-R2ODK3eSBUSLOSH2tAqjEVKOkLE5fiNA3ygqq15NcKRadB2pTVf-Yb5ZIBuKzko8bzYIkIqYhSh_FAdEEr0vHF5fq_yWSvc6swsOJGqvBEtuqtJY027u-G2gAQasCQdhyejer68zsTn8M\",\"kty\":\"RSA\",\"q\":\"tWR-ysspjZ73B6p2vVRVyHwP3KQWL5KEQcdgcmMOE_P_cPs98vZJfLhxobXVmvzuEWBpRSiqiuyKlQnpstKt94Cy77iO8m8ISfF3C9VyLWXi9HUGAJb99irWABFl3sNDff5K2ODQ8CmuXLYM25OwN3ikbrhEJozlXg_NJFSGD4E\",\"d\":\"FkZHYZlw5KSoqQ1i2RA2kCUygSUOf1OqMt3uomtXuUmqKBm_bY7PCOhmwbvbn4xZYEeHuTR8Xix-0KpHe3NKyWrtRjkq1T_un49_1LLVUhJ0dL-9_x0xRquVjhl_XrsRXaGMEHs8G9pLTvXQ1uST585gxIfmCe0sxPZLvwoic-bXf64UZ9BGRV3lFexWJQqCZp2S21HfoU7wiz6kfLRNi-K4xiVNB1gswm_8o5lRuY7zB9bRARQ3TS2G4eW7p5sxT3CgsGiQD3_wPugU8iDplqAjgJ5ofNJXZezoj0t6JMB_qOpbrmAM1EnomIPebSLW7Ky9SugEd6KMdL5lW6AuAQ\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"one\",\"qi\":\"wdkFu_tV2V1l_PWUUimG516Zvhqk2SWDw1F7uNDD-Lvrv_WNRIJVzuffZ8WYiPy8VvYQPJUrT2EXL8P0ocqwlaSTuXctrORcbjwgxDQDLsiZE0C23HYzgi0cofbScsJdhcBg7d07LAf7cdJWG0YVl1FkMCsxUlZ2wTwHfKWf-v4\",\"dp\":\"uwnPxqC-IxG4r33-SIT02kZC1IqC4aY7PWq0nePiDEQMQWpjjNH50rlq9EyLzbtdRdIouo-jyQXB01K15-XXJJ60dwrGLYNVqfsTd0eGqD1scYJGHUWG9IDgCsxyEnuG3s0AwbW2UolWVSsU2xMZGb9PurIUZECeD1XDZwMp2s0\",\"dq\":\"hra786AunB8TF35h8PpROzPoE9VJJMuLrc6Esm8eZXMwopf0yhxfN2FEAvUoTpLJu93-UH6DKenCgi16gnQ0_zt1qNNIVoRfg4rw_rjmsxCYHTVL3-RDeC8X_7TsEySxW0EgFTHh-nr6I6CQrAJjPM88T35KHtdFATZ7BCBB8AE\",\"n\":\"oXJ8OyOv_eRnce4akdanR4KYRfnC2zLV4uYNQpcFn6oHL0dj7D6kxQmsXoYgJV8ZVDn71KGmuLvolxsDncc2UrhyMBY6DVQVgMSVYaPCTgW76iYEKGgzTEw5IBRQL9w3SRJWd3VJTZZQjkXef48Ocz06PGF3lhbz4t5UEZtdF4rIe7u-977QwHuh7yRPBQ3sII-cVoOUMgaXB9SHcGF2iZCtPzL_IffDUcfhLQteGebhW8A6eUHgpD5A1PQ-JCw_G7UOzZAjjDjtNM2eqm8j-Ms_gqnm4MiCZ4E-9pDN77CAAPVN7kuX6ejs9KBXpk01z48i9fORYk9u7rAkh1HuQw\"}]}";
@ -93,24 +108,33 @@ public class JwtDecodersTests {
public void issuerWhenResponseIsTypicalThenReturnedDecoderValidatesIssuer() {
prepareConfigurationResponse();
JwtDecoder decoder = JwtDecoders.fromOidcIssuerLocation(this.issuer);
assertThatExceptionOfType(JwtValidationException.class).isThrownBy(() -> decoder.decode(ISSUER_MISMATCH))
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> decoder.decode(ISSUER_MISMATCH))
.withMessageContaining("The iss claim is not valid");
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackResponseIsTypicalThenReturnedDecoderValidatesIssuer() {
prepareConfigurationResponseOidc();
JwtDecoder decoder = JwtDecoders.fromIssuerLocation(this.issuer);
assertThatExceptionOfType(JwtValidationException.class).isThrownBy(() -> decoder.decode(ISSUER_MISMATCH))
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> decoder.decode(ISSUER_MISMATCH))
.withMessageContaining("The iss claim is not valid");
// @formatter:on
}
@Test
public void issuerWhenOAuth2ResponseIsTypicalThenReturnedDecoderValidatesIssuer() {
prepareConfigurationResponseOAuth2();
JwtDecoder decoder = JwtDecoders.fromIssuerLocation(this.issuer);
assertThatExceptionOfType(JwtValidationException.class).isThrownBy(() -> decoder.decode(ISSUER_MISMATCH))
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> decoder.decode(ISSUER_MISMATCH))
.withMessageContaining("The iss claim is not valid");
// @formatter:on
}
@Test
@ -147,13 +171,19 @@ public class JwtDecodersTests {
@Test
public void issuerWhenOidcFallbackResponseIsNonCompliantThenThrowsRuntimeException() {
prepareConfigurationResponseOidc("{ \"missing_required_keys\" : \"and_values\" }");
assertThatExceptionOfType(RuntimeException.class).isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOAuth2ResponseIsNonCompliantThenThrowsRuntimeException() {
prepareConfigurationResponseOAuth2("{ \"missing_required_keys\" : \"and_values\" }");
assertThatExceptionOfType(RuntimeException.class).isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
// gh-7512
@ -161,8 +191,11 @@ public class JwtDecodersTests {
public void issuerWhenResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException()
throws JsonMappingException, JsonProcessingException {
prepareConfigurationResponse(this.buildResponseWithMissingJwksUri());
assertThatIllegalArgumentException().isThrownBy(() -> JwtDecoders.fromOidcIssuerLocation(this.issuer))
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> JwtDecoders.fromOidcIssuerLocation(this.issuer))
.withMessage("The public JWK set URI must not be null");
// @formatter:on
}
// gh-7512
@ -170,8 +203,12 @@ public class JwtDecodersTests {
public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException()
throws JsonMappingException, JsonProcessingException {
prepareConfigurationResponseOidc(this.buildResponseWithMissingJwksUri());
assertThatIllegalArgumentException().isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer))
.isInstanceOf(IllegalArgumentException.class).withMessage("The public JWK set URI must not be null");
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer))
.isInstanceOf(IllegalArgumentException.class)
.withMessage("The public JWK set URI must not be null");
// @formatter:on
}
// gh-7512
@ -179,59 +216,85 @@ public class JwtDecodersTests {
public void issuerWhenOAuth2ResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException()
throws JsonMappingException, JsonProcessingException {
prepareConfigurationResponseOAuth2(this.buildResponseWithMissingJwksUri());
assertThatIllegalArgumentException().isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer))
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer))
.withMessage("The public JWK set URI must not be null");
// @formatter:on
}
@Test
public void issuerWhenResponseIsMalformedThenThrowsRuntimeException() {
prepareConfigurationResponse("malformed");
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> JwtDecoders.fromOidcIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackResponseIsMalformedThenThrowsRuntimeException() {
prepareConfigurationResponseOidc("malformed");
assertThatExceptionOfType(RuntimeException.class).isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOAuth2ResponseIsMalformedThenThrowsRuntimeException() {
prepareConfigurationResponseOAuth2("malformed");
assertThatExceptionOfType(RuntimeException.class).isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenRespondingIssuerMismatchesRequestedIssuerThenThrowsIllegalStateException() {
prepareConfigurationResponse(String.format(DEFAULT_RESPONSE_TEMPLATE, this.issuer + "/wrong", this.issuer));
assertThatIllegalStateException().isThrownBy(() -> JwtDecoders.fromOidcIssuerLocation(this.issuer));
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> JwtDecoders.fromOidcIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackRespondingIssuerMismatchesRequestedIssuerThenThrowsIllegalStateException() {
prepareConfigurationResponseOidc(String.format(DEFAULT_RESPONSE_TEMPLATE, this.issuer + "/wrong", this.issuer));
assertThatIllegalStateException().isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOAuth2RespondingIssuerMismatchesRequestedIssuerThenThrowsIllegalStateException() {
prepareConfigurationResponseOAuth2(
String.format(DEFAULT_RESPONSE_TEMPLATE, this.issuer + "/wrong", this.issuer));
assertThatIllegalStateException().isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> JwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenRequestedIssuerIsUnresponsiveThenThrowsIllegalArgumentException() throws Exception {
this.server.shutdown();
assertThatIllegalArgumentException().isThrownBy(() -> JwtDecoders.fromOidcIssuerLocation("https://issuer"));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> JwtDecoders.fromOidcIssuerLocation("https://issuer"));
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackRequestedIssuerIsUnresponsiveThenThrowsIllegalArgumentException()
throws Exception {
this.server.shutdown();
assertThatIllegalArgumentException().isThrownBy(() -> JwtDecoders.fromIssuerLocation("https://issuer"));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> JwtDecoders.fromIssuerLocation("https://issuer"));
// @formatter:on
}
private void prepareConfigurationResponse() {
@ -272,8 +335,13 @@ public class JwtDecodersTests {
Dispatcher dispatcher = new Dispatcher() {
@Override
public MockResponse dispatch(RecordedRequest request) {
return Optional.of(request).map(RecordedRequest::getRequestUrl).map(HttpUrl::toString)
.map(responses::get).orElse(new MockResponse().setResponseCode(404));
// @formatter:off
return Optional.of(request)
.map(RecordedRequest::getRequestUrl)
.map(HttpUrl::toString)
.map(responses::get)
.orElse(new MockResponse().setResponseCode(404));
// @formatter:on
}
};
this.server.setDispatcher(dispatcher);
@ -285,12 +353,20 @@ public class JwtDecodersTests {
private String oidc() {
URI uri = URI.create(this.issuer);
return UriComponentsBuilder.fromUri(uri).replacePath(uri.getPath() + OIDC_METADATA_PATH).toUriString();
// @formatter:off
return UriComponentsBuilder.fromUri(uri)
.replacePath(uri.getPath() + OIDC_METADATA_PATH)
.toUriString();
// @formatter:on
}
private String oauth() {
URI uri = URI.create(this.issuer);
return UriComponentsBuilder.fromUri(uri).replacePath(OAUTH_METADATA_PATH + uri.getPath()).toUriString();
// @formatter:off
return UriComponentsBuilder.fromUri(uri)
.replacePath(OAUTH_METADATA_PATH + uri.getPath())
.toUriString();
// @formatter:on
}
private String jwks() {
@ -298,7 +374,11 @@ public class JwtDecodersTests {
}
private MockResponse response(String body) {
return new MockResponse().setBody(body).setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
// @formatter:off
return new MockResponse()
.setBody(body)
.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
// @formatter:on
}
public String buildResponseWithMissingJwksUri() throws JsonMappingException, JsonProcessingException {

20
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java
View File

@ -36,7 +36,10 @@ public class JwtIssuerValidatorTests {
@Test
public void validateWhenIssuerMatchesThenReturnsSuccess() {
Jwt jwt = TestJwts.jwt().claim("iss", ISSUER).build();
assertThat(this.validator.validate(jwt)).isEqualTo(OAuth2TokenValidatorResult.success());
// @formatter:off
assertThat(this.validator.validate(jwt))
.isEqualTo(OAuth2TokenValidatorResult.success());
// @formatter:on
}
@Test
@ -58,17 +61,26 @@ public class JwtIssuerValidatorTests {
public void validateWhenIssuerMatchesAndIsNotAUriThenReturnsSuccess() {
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.ISS, "issuer").build();
JwtIssuerValidator validator = new JwtIssuerValidator("issuer");
assertThat(validator.validate(jwt)).isEqualTo(OAuth2TokenValidatorResult.success());
// @formatter:off
assertThat(validator.validate(jwt))
.isEqualTo(OAuth2TokenValidatorResult.success());
// @formatter:on
}
@Test
public void validateWhenJwtIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.validator.validate(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.validator.validate(null));
// @formatter:on
}
@Test
public void constructorWhenNullIssuerIsGivenThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new JwtIssuerValidator(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> new JwtIssuerValidator(null));
// @formatter:on
}
}

25
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTimestampValidatorTests.java
View File

@ -57,7 +57,11 @@ public class JwtTimestampValidatorTests {
Jwt jwt = TestJwts.jwt().expiresAt(oneHourAgo).build();
JwtTimestampValidator jwtValidator = new JwtTimestampValidator();
Collection<OAuth2Error> details = jwtValidator.validate(jwt).getErrors();
Collection<String> messages = details.stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
// @formatter:off
Collection<String> messages = details.stream()
.map(OAuth2Error::getDescription)
.collect(Collectors.toList());
// @formatter:on
assertThat(messages).contains("Jwt expired at " + oneHourAgo);
}
@ -67,7 +71,11 @@ public class JwtTimestampValidatorTests {
Jwt jwt = TestJwts.jwt().notBefore(oneHourFromNow).build();
JwtTimestampValidator jwtValidator = new JwtTimestampValidator();
Collection<OAuth2Error> details = jwtValidator.validate(jwt).getErrors();
Collection<String> messages = details.stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
// @formatter:off
Collection<String> messages = details.stream()
.map(OAuth2Error::getDescription)
.collect(Collectors.toList());
// @formatter:on
assertThat(messages).contains("Jwt used before " + oneHourFromNow);
}
@ -84,13 +92,22 @@ public class JwtTimestampValidatorTests {
assertThat(jwtValidator.validate(jwt).hasErrors()).isFalse();
jwt = TestJwts.jwt().expiresAt(justOverOneDayAgo).build();
OAuth2TokenValidatorResult result = jwtValidator.validate(jwt);
Collection<String> messages = result.getErrors().stream().map(OAuth2Error::getDescription)
// @formatter:off
Collection<String> messages = result.getErrors()
.stream()
.map(OAuth2Error::getDescription)
.collect(Collectors.toList());
// @formatter:on
assertThat(result.hasErrors()).isTrue();
assertThat(messages).contains("Jwt expired at " + justOverOneDayAgo);
jwt = TestJwts.jwt().notBefore(justOverOneDayFromNow).build();
result = jwtValidator.validate(jwt);
messages = result.getErrors().stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
// @formatter:off
messages = result.getErrors()
.stream()
.map(OAuth2Error::getDescription)
.collect(Collectors.toList());
// @formatter:on
assertThat(result.hasErrors()).isTrue();
assertThat(messages).contains("Jwt used before " + justOverOneDayFromNow);
}

36
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderJwkSupportTests.java
View File

@ -111,8 +111,11 @@ public class NimbusJwtDecoderJwkSupportTests {
// gh-5457
@Test
public void decodeWhenPlainJwtThenExceptionDoesNotMentionClass() {
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> this.jwtDecoder.decode(UNSIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> this.jwtDecoder.decode(UNSIGNED_JWT))
.withMessageContaining("Unsupported algorithm of none");
// @formatter:on
}
@Test
@ -121,8 +124,11 @@ public class NimbusJwtDecoderJwkSupportTests {
server.enqueue(new MockResponse().setBody(JWK_SET));
String jwkSetUrl = server.url("/.well-known/jwks.json").toString();
NimbusJwtDecoderJwkSupport jwtDecoder = new NimbusJwtDecoderJwkSupport(jwkSetUrl);
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> jwtDecoder.decode(MALFORMED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> jwtDecoder.decode(MALFORMED_JWT))
.withMessage("An error occurred while attempting to decode the Jwt: Malformed payload");
// @formatter:on
server.shutdown();
}
}
@ -133,8 +139,11 @@ public class NimbusJwtDecoderJwkSupportTests {
server.enqueue(new MockResponse().setBody(MALFORMED_JWK_SET));
String jwkSetUrl = server.url("/.well-known/jwks.json").toString();
NimbusJwtDecoderJwkSupport jwtDecoder = new NimbusJwtDecoderJwkSupport(jwkSetUrl);
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
.withMessage("An error occurred while attempting to decode the Jwt: Malformed Jwk set");
// @formatter:on
server.shutdown();
}
}
@ -145,8 +154,11 @@ public class NimbusJwtDecoderJwkSupportTests {
server.enqueue(new MockResponse().setBody(MALFORMED_JWK_SET));
String jwkSetUrl = server.url("/.well-known/jwks.json").toString();
NimbusJwtDecoderJwkSupport jwtDecoder = new NimbusJwtDecoderJwkSupport(jwkSetUrl);
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
.withMessageContaining("An error occurred while attempting to decode the Jwt");
// @formatter:on
server.shutdown();
}
}
@ -176,8 +188,11 @@ public class NimbusJwtDecoderJwkSupportTests {
OAuth2TokenValidator<Jwt> jwtValidator = mock(OAuth2TokenValidator.class);
given(jwtValidator.validate(any(Jwt.class))).willReturn(OAuth2TokenValidatorResult.failure(failure));
decoder.setJwtValidator(jwtValidator);
assertThatExceptionOfType(JwtValidationException.class).isThrownBy(() -> decoder.decode(SIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> decoder.decode(SIGNED_JWT))
.withMessageContaining("mock-description");
// @formatter:on
}
}
@ -193,9 +208,14 @@ public class NimbusJwtDecoderJwkSupportTests {
OAuth2TokenValidator<Jwt> jwtValidator = mock(OAuth2TokenValidator.class);
given(jwtValidator.validate(any(Jwt.class))).willReturn(result);
decoder.setJwtValidator(jwtValidator);
assertThatExceptionOfType(JwtValidationException.class).isThrownBy(() -> decoder.decode(SIGNED_JWT))
.withMessageContaining("mock-description").satisfies((ex) -> assertThat(ex)
.hasFieldOrPropertyWithValue("errors", Arrays.asList(firstFailure, secondFailure)));
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> decoder.decode(SIGNED_JWT))
.withMessageContaining("mock-description")
.satisfies((ex) -> assertThat(ex)
.hasFieldOrPropertyWithValue("errors", Arrays.asList(firstFailure, secondFailure))
);
// @formatter:on
}
}

313
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java
View File

@ -75,9 +75,7 @@ import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
@ -128,22 +126,34 @@ public class NimbusJwtDecoderTests {
@Test
public void constructorWhenJwtProcessorIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new NimbusJwtDecoder(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> new NimbusJwtDecoder(null));
// @formatter:on
}
@Test
public void setClaimSetConverterWhenIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.jwtDecoder.setClaimSetConverter(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.jwtDecoder.setClaimSetConverter(null));
// @formatter:on
}
@Test
public void setJwtValidatorWhenNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.jwtDecoder.setJwtValidator(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.jwtDecoder.setJwtValidator(null));
// @formatter:on
}
@Test
public void decodeWhenJwtInvalidThenThrowJwtException() {
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> this.jwtDecoder.decode("invalid"));
// @formatter:off
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> this.jwtDecoder.decode("invalid"));
// @formatter:on
}
// gh-5168
@ -160,14 +170,20 @@ public class NimbusJwtDecoderTests {
// gh-5457
@Test
public void decodeWhenPlainJwtThenExceptionDoesNotMentionClass() {
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> this.jwtDecoder.decode(UNSIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.jwtDecoder.decode(UNSIGNED_JWT))
.withMessageContaining("Unsupported algorithm of none");
// @formatter:on
}
@Test
public void decodeWhenJwtIsMalformedThenReturnsStockException() {
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> this.jwtDecoder.decode(MALFORMED_JWT))
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.jwtDecoder.decode(MALFORMED_JWT))
.withMessage("An error occurred while attempting to decode the Jwt: Malformed payload");
// @formatter:on
}
@Test
@ -176,8 +192,11 @@ public class NimbusJwtDecoderTests {
OAuth2TokenValidator<Jwt> jwtValidator = mock(OAuth2TokenValidator.class);
given(jwtValidator.validate(any(Jwt.class))).willReturn(OAuth2TokenValidatorResult.failure(failure));
this.jwtDecoder.setJwtValidator(jwtValidator);
assertThatExceptionOfType(JwtValidationException.class).isThrownBy(() -> this.jwtDecoder.decode(SIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> this.jwtDecoder.decode(SIGNED_JWT))
.withMessageContaining("mock-description");
// @formatter:on
}
@Test
@ -188,9 +207,14 @@ public class NimbusJwtDecoderTests {
OAuth2TokenValidator<Jwt> jwtValidator = mock(OAuth2TokenValidator.class);
given(jwtValidator.validate(any(Jwt.class))).willReturn(result);
this.jwtDecoder.setJwtValidator(jwtValidator);
assertThatExceptionOfType(JwtValidationException.class).isThrownBy(() -> this.jwtDecoder.decode(SIGNED_JWT))
.withMessageContaining("mock-description").satisfies((ex) -> assertThat(ex)
.hasFieldOrPropertyWithValue("errors", Arrays.asList(firstFailure, secondFailure)));
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> this.jwtDecoder.decode(SIGNED_JWT))
.withMessageContaining("mock-description")
.satisfies((ex) -> assertThat(ex)
.hasFieldOrPropertyWithValue("errors", Arrays.asList(firstFailure, secondFailure))
);
// @formatter:on
}
@Test
@ -202,8 +226,11 @@ public class NimbusJwtDecoderTests {
OAuth2Error error2 = new OAuth2Error("mock-error-second", "mock-description-second", "mock-uri-second");
OAuth2TokenValidatorResult result = OAuth2TokenValidatorResult.failure(errorEmpty, error, error2);
given(jwtValidator.validate(any(Jwt.class))).willReturn(result);
Assertions.assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> this.jwtDecoder.decode(SIGNED_JWT)).withMessageContaining("mock-description");
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> this.jwtDecoder.decode(SIGNED_JWT))
.withMessageContaining("mock-description");
// @formatter:on
}
@Test
@ -222,7 +249,10 @@ public class NimbusJwtDecoderTests {
Converter<Map<String, Object>, Map<String, Object>> claimSetConverter = mock(Converter.class);
this.jwtDecoder.setClaimSetConverter(claimSetConverter);
given(claimSetConverter.convert(any(Map.class))).willThrow(new IllegalArgumentException("bad conversion"));
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> this.jwtDecoder.decode(SIGNED_JWT));
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.jwtDecoder.decode(SIGNED_JWT));
// @formatter:on
}
@Test
@ -235,9 +265,12 @@ public class NimbusJwtDecoderTests {
@Test
public void decodeWhenJwkResponseIsMalformedThenReturnsStockException() {
NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(withSigning(MALFORMED_JWK_SET));
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
.isNotInstanceOf(BadJwtException.class)
.withMessage("An error occurred while attempting to decode the Jwt: Malformed Jwk set");
// @formatter:on
}
@Test
@ -246,9 +279,12 @@ public class NimbusJwtDecoderTests {
String jwkSetUri = server.url("/.well-known/jwks.json").toString();
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
server.shutdown();
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
.isNotInstanceOf(BadJwtException.class)
.withMessageContaining("An error occurred while attempting to decode the Jwt");
// @formatter:on
}
}
@ -259,58 +295,89 @@ public class NimbusJwtDecoderTests {
String jwkSetUri = server.url("/.well-known/jwks.json").toString();
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).cache(cache).build();
server.shutdown();
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
// @formatter:off
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
.isNotInstanceOf(BadJwtException.class)
.withMessageContaining("An error occurred while attempting to decode the Jwt");
// @formatter:on
}
}
@Test
public void withJwkSetUriWhenNullOrEmptyThenThrowsException() {
assertThatIllegalArgumentException().isThrownBy(() -> NimbusJwtDecoder.withJwkSetUri(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusJwtDecoder.withJwkSetUri(null));
// @formatter:on
}
@Test
public void jwsAlgorithmWhenNullThenThrowsException() {
NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI);
assertThatIllegalArgumentException().isThrownBy(() -> builder.jwsAlgorithm(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> builder.jwsAlgorithm(null));
// @formatter:on
}
@Test
public void restOperationsWhenNullThenThrowsException() {
NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI);
assertThatIllegalArgumentException().isThrownBy(() -> builder.restOperations(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> builder.restOperations(null));
// @formatter:on
}
@Test
public void cacheWhenNullThenThrowsException() {
NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI);
assertThatIllegalArgumentException().isThrownBy(() -> builder.cache(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> builder.cache(null));
// @formatter:on
}
@Test
public void withPublicKeyWhenNullThenThrowsException() {
assertThatIllegalArgumentException().isThrownBy(() -> NimbusJwtDecoder.withPublicKey(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusJwtDecoder.withPublicKey(null));
// @formatter:on
}
@Test
public void buildWhenSignatureAlgorithmMismatchesKeyTypeThenThrowsException() {
Assertions.assertThatCode(
() -> NimbusJwtDecoder.withPublicKey(key()).signatureAlgorithm(SignatureAlgorithm.ES256).build())
.isInstanceOf(IllegalStateException.class);
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> NimbusJwtDecoder.withPublicKey(key())
.signatureAlgorithm(SignatureAlgorithm.ES256)
.build()
);
// @formatter:on
}
@Test
public void decodeWhenUsingPublicKeyThenSuccessfullyDecodes() throws Exception {
NimbusJwtDecoder decoder = NimbusJwtDecoder.withPublicKey(key()).build();
assertThat(decoder.decode(RS256_SIGNED_JWT)).extracting(Jwt::getSubject).isEqualTo("test-subject");
// @formatter:off
assertThat(decoder.decode(RS256_SIGNED_JWT))
.extracting(Jwt::getSubject)
.isEqualTo("test-subject");
// @formatter:on
}
@Test
public void decodeWhenUsingPublicKeyWithRs512ThenSuccessfullyDecodes() throws Exception {
NimbusJwtDecoder decoder = NimbusJwtDecoder.withPublicKey(key()).signatureAlgorithm(SignatureAlgorithm.RS512)
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder.withPublicKey(key())
.signatureAlgorithm(SignatureAlgorithm.RS512)
.build();
assertThat(decoder.decode(RS512_SIGNED_JWT)).extracting(Jwt::getSubject).isEqualTo("test-subject");
assertThat(decoder.decode(RS512_SIGNED_JWT))
.extracting(Jwt::getSubject)
.isEqualTo("test-subject");
// @formatter:on
}
// gh-7049
@ -318,20 +385,35 @@ public class NimbusJwtDecoderTests {
public void decodeWhenUsingPublicKeyWithKidThenStillUsesKey() throws Exception {
RSAPublicKey publicKey = TestKeys.DEFAULT_PUBLIC_KEY;
RSAPrivateKey privateKey = TestKeys.DEFAULT_PRIVATE_KEY;
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("one").build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
// @formatter:off
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256)
.keyID("one")
.build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60)))
.build();
// @formatter:on
SignedJWT signedJwt = signedJwt(privateKey, header, claimsSet);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withPublicKey(publicKey)
.signatureAlgorithm(SignatureAlgorithm.RS256).build();
assertThat(decoder.decode(signedJwt.serialize())).extracting(Jwt::getSubject).isEqualTo("test-subject");
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder
.withPublicKey(publicKey)
.signatureAlgorithm(SignatureAlgorithm.RS256)
.build();
assertThat(decoder.decode(signedJwt.serialize()))
.extracting(Jwt::getSubject)
.isEqualTo("test-subject");
// @formatter:on
}
@Test
public void decodeWhenSignatureMismatchesAlgorithmThenThrowsException() throws Exception {
NimbusJwtDecoder decoder = NimbusJwtDecoder.withPublicKey(key()).signatureAlgorithm(SignatureAlgorithm.RS512)
.build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(RS256_SIGNED_JWT));
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> decoder.decode(RS256_SIGNED_JWT));
// @formatter:on
}
// gh-8730
@ -343,91 +425,143 @@ public class NimbusJwtDecoderTests {
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().expirationTime(Date.from(Instant.now().plusSeconds(60)))
.build();
SignedJWT signedJwt = signedJwt(privateKey, header, claimsSet);
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder.withPublicKey(publicKey)
.signatureAlgorithm(SignatureAlgorithm.RS256)
.jwtProcessorCustomizer(
(p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS"))))
.jwtProcessorCustomizer((p) -> p
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))
)
.build();
// @formatter:on
assertThat(decoder.decode(signedJwt.serialize()).containsClaim(JwtClaimNames.EXP)).isNotNull();
}
@Test
public void withPublicKeyWhenJwtProcessorCustomizerNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusJwtDecoder.withPublicKey(key()).jwtProcessorCustomizer(null))
.withMessage("jwtProcessorCustomizer cannot be null");
// @formatter:on
}
@Test
public void withSecretKeyWhenNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> NimbusJwtDecoder.withSecretKey(null))
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusJwtDecoder.withSecretKey(null))
.withMessage("secretKey cannot be null");
// @formatter:on
}
@Test
public void withSecretKeyWhenMacAlgorithmNullThenThrowsIllegalArgumentException() {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusJwtDecoder.withSecretKey(secretKey).macAlgorithm(null))
.withMessage("macAlgorithm cannot be null");
// @formatter:on
}
@Test
public void decodeWhenUsingSecretKeyThenSuccessfullyDecodes() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
MacAlgorithm macAlgorithm = MacAlgorithm.HS256;
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
// @formatter:off
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60)))
.build();
// @formatter:on
SignedJWT signedJWT = signedJwt(secretKey, macAlgorithm, claimsSet);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey).macAlgorithm(macAlgorithm).build();
assertThat(decoder.decode(signedJWT.serialize())).extracting(Jwt::getSubject).isEqualTo("test-subject");
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey)
.macAlgorithm(macAlgorithm)
.build();
assertThat(decoder.decode(signedJWT.serialize()))
.extracting(Jwt::getSubject)
.isEqualTo("test-subject");
// @formatter:on
}
@Test
public void decodeWhenUsingSecretKeyAndIncorrectAlgorithmThenThrowsJwtException() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
MacAlgorithm macAlgorithm = MacAlgorithm.HS256;
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
// @formatter:off
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60)))
.build();
// @formatter:on
SignedJWT signedJWT = signedJwt(secretKey, macAlgorithm, claimsSet);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey).macAlgorithm(MacAlgorithm.HS512).build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(signedJWT.serialize()))
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey)
.macAlgorithm(MacAlgorithm.HS512)
.build();
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> decoder.decode(signedJWT.serialize()))
.withMessageContaining("Unsupported algorithm of HS256");
// @formatter:on
}
// gh-7056
@Test
public void decodeWhenUsingSecertKeyWithKidThenStillUsesKey() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.HS256).keyID("one").build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
// @formatter:off
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.HS256)
.keyID("one")
.build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60)))
.build();
// @formatter:on
SignedJWT signedJwt = signedJwt(secretKey, header, claimsSet);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey).macAlgorithm(MacAlgorithm.HS256).build();
assertThat(decoder.decode(signedJwt.serialize())).extracting(Jwt::getSubject).isEqualTo("test-subject");
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey)
.macAlgorithm(MacAlgorithm.HS256)
.build();
assertThat(decoder.decode(signedJwt.serialize()))
.extracting(Jwt::getSubject)
.isEqualTo("test-subject");
// @formatter:on
}
// gh-8730
@Test
public void withSecretKeyWhenUsingCustomTypeHeaderThenSuccessfullyDecodes() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.HS256).type(new JOSEObjectType("JWS")).build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().expirationTime(Date.from(Instant.now().plusSeconds(60)))
// @formatter:off
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.HS256)
.type(new JOSEObjectType("JWS"))
.build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.expirationTime(Date.from(Instant.now().plusSeconds(60)))
.build();
// @formatter:on
SignedJWT signedJwt = signedJwt(secretKey, header, claimsSet);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey).macAlgorithm(MacAlgorithm.HS256)
.jwtProcessorCustomizer(
(p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS"))))
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey)
.macAlgorithm(MacAlgorithm.HS256)
.jwtProcessorCustomizer((p) -> p
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))
)
.build();
// @formatter:on
assertThat(decoder.decode(signedJwt.serialize()).containsClaim(JwtClaimNames.EXP)).isNotNull();
}
@Test
public void withSecretKeyWhenJwtProcessorCustomizerNullThenThrowsIllegalArgumentException() {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusJwtDecoder.withSecretKey(secretKey).jwtProcessorCustomizer(null))
.withMessage("jwtProcessorCustomizer cannot be null");
// @formatter:on
}
@Test
@ -443,8 +577,11 @@ public class NimbusJwtDecoderTests {
@Test
public void jwsKeySelectorWhenOneAlgorithmThenReturnsSingleSelector() {
JWKSource<SecurityContext> jwkSource = mock(JWKSource.class);
// @formatter:off
JWSKeySelector<SecurityContext> jwsKeySelector = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.jwsAlgorithm(SignatureAlgorithm.RS512).jwsKeySelector(jwkSource);
.jwsAlgorithm(SignatureAlgorithm.RS512)
.jwsKeySelector(jwkSource);
// @formatter:on
assertThat(jwsKeySelector instanceof JWSVerificationKeySelector);
JWSVerificationKeySelector<?> jwsVerificationKeySelector = (JWSVerificationKeySelector<?>) jwsKeySelector;
assertThat(jwsVerificationKeySelector.isAllowed(JWSAlgorithm.RS512)).isTrue();
@ -453,9 +590,12 @@ public class NimbusJwtDecoderTests {
@Test
public void jwsKeySelectorWhenMultipleAlgorithmThenReturnsCompositeSelector() {
JWKSource<SecurityContext> jwkSource = mock(JWKSource.class);
// @formatter:off
JWSKeySelector<SecurityContext> jwsKeySelector = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.jwsAlgorithm(SignatureAlgorithm.RS256).jwsAlgorithm(SignatureAlgorithm.RS512)
.jwsAlgorithm(SignatureAlgorithm.RS256)
.jwsAlgorithm(SignatureAlgorithm.RS512)
.jwsKeySelector(jwkSource);
// @formatter:on
assertThat(jwsKeySelector instanceof JWSVerificationKeySelector);
JWSVerificationKeySelector<?> jwsAlgorithmMapKeySelector = (JWSVerificationKeySelector<?>) jwsKeySelector;
assertThat(jwsAlgorithmMapKeySelector.isAllowed(JWSAlgorithm.RS256)).isTrue();
@ -468,8 +608,11 @@ public class NimbusJwtDecoderTests {
RestOperations restOperations = mock(RestOperations.class);
given(restOperations.exchange(any(RequestEntity.class), eq(String.class)))
.willReturn(new ResponseEntity<>(JWK_SET, HttpStatus.OK));
// @formatter:off
JWTProcessor<SecurityContext> processor = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.restOperations(restOperations).processor();
.restOperations(restOperations)
.processor();
// @formatter:on
NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(processor);
jwtDecoder.decode(SIGNED_JWT);
ArgumentCaptor<RequestEntity> requestEntityCaptor = ArgumentCaptor.forClass(RequestEntity.class);
@ -484,8 +627,12 @@ public class NimbusJwtDecoderTests {
RestOperations restOperations = mock(RestOperations.class);
given(restOperations.exchange(any(RequestEntity.class), eq(String.class)))
.willReturn(new ResponseEntity<>(JWK_SET, HttpStatus.OK));
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI).restOperations(restOperations)
.cache(cache).build();
// @formatter:off
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.restOperations(restOperations)
.cache(cache)
.build();
// @formatter:on
jwtDecoder.decode(SIGNED_JWT);
assertThat(cache.get(JWK_SET_URI, String.class)).isEqualTo(JWK_SET);
ArgumentCaptor<RequestEntity> requestEntityCaptor = ArgumentCaptor.forClass(RequestEntity.class);
@ -500,8 +647,12 @@ public class NimbusJwtDecoderTests {
RestOperations restOperations = mock(RestOperations.class);
Cache cache = mock(Cache.class);
given(cache.get(eq(JWK_SET_URI), any(Callable.class))).willReturn(JWK_SET);
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI).cache(cache)
.restOperations(restOperations).build();
// @formatter:off
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.cache(cache)
.restOperations(restOperations)
.build();
// @formatter:on
jwtDecoder.decode(SIGNED_JWT);
verify(cache).get(eq(JWK_SET_URI), any(Callable.class));
verifyNoMoreInteractions(cache);
@ -514,11 +665,16 @@ public class NimbusJwtDecoderTests {
RestOperations restOperations = mock(RestOperations.class);
given(restOperations.exchange(any(RequestEntity.class), eq(String.class)))
.willThrow(new RestClientException("Cannot retrieve JWK Set"));
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI).restOperations(restOperations)
.cache(cache).build();
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
// @formatter:off
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.restOperations(restOperations)
.cache(cache)
.build();
assertThatExceptionOfType(JwtException.class)
.isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
.isNotInstanceOf(BadJwtException.class)
.withMessageContaining("An error occurred while attempting to decode the Jwt");
// @formatter:on
}
// gh-8730
@ -527,20 +683,27 @@ public class NimbusJwtDecoderTests {
RestOperations restOperations = mock(RestOperations.class);
given(restOperations.exchange(any(RequestEntity.class), eq(String.class)))
.willReturn(new ResponseEntity<>(JWK_SET, HttpStatus.OK));
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI).restOperations(restOperations)
.jwtProcessorCustomizer(
(p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS"))))
// @formatter:off
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.restOperations(restOperations)
.jwtProcessorCustomizer((p) -> p
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))
)
.build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT))
.withMessageContaining("An error occurred while attempting to decode the Jwt: "
+ "Required JOSE header \"typ\" (type) parameter is missing");
// @formatter:on
}
@Test
public void withJwkSetUriWhenJwtProcessorCustomizerNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI).jwtProcessorCustomizer(null))
.withMessage("jwtProcessorCustomizer cannot be null");
// @formatter:on
}
private RSAPublicKey key() throws InvalidKeySpecException {
@ -574,7 +737,11 @@ public class NimbusJwtDecoderTests {
RestOperations restOperations = mock(RestOperations.class);
given(restOperations.exchange(any(RequestEntity.class), eq(String.class)))
.willReturn(new ResponseEntity<>(jwkResponse, HttpStatus.OK));
return NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI).restOperations(restOperations).processor();
// @formatter:off
return NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.restOperations(restOperations)
.processor();
// @formatter:on
}
private static JWTProcessor<SecurityContext> withoutSigning() {

261
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoderTests.java
View File

@ -86,10 +86,19 @@ public class NimbusReactiveJwtDecoderTests {
private String unsignedToken = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJleHAiOi0yMDMzMjI0OTcsImp0aSI6IjEyMyIsInR5cCI6IkpXVCJ9.";
private String jwkSet = "{\n" + " \"keys\":[\n" + " {\n" + " \"kty\":\"RSA\",\n"
+ " \"e\":\"AQAB\",\n" + " \"use\":\"sig\",\n" + " \"kid\":\"key-id-1\",\n"
// @formatter:off
private String jwkSet = "{\n"
+ " \"keys\":[\n"
+ " {\n"
+ " \"kty\":\"RSA\",\n"
+ " \"e\":\"AQAB\",\n"
+ " \"use\":\"sig\",\n"
+ " \"kid\":\"key-id-1\",\n"
+ " \"n\":\"qL48v1clgFw-Evm145pmh8nRYiNt72Gupsshn7Qs8dxEydCRp1DPOV_PahPk1y2nvldBNIhfNL13JOAiJ6BTiF-2ICuICAhDArLMnTH61oL1Hepq8W1xpa9gxsnL1P51thvfmiiT4RTW57koy4xIWmIp8ZXXfYgdH2uHJ9R0CQBuYKe7nEOObjxCFWC8S30huOfW2cYtv0iB23h6w5z2fDLjddX6v_FXM7ktcokgpm3_XmvT_-bL6_GGwz9k6kJOyMTubecr-WT__le8ikY66zlplYXRQh6roFfFCL21Pt8xN5zrk-0AMZUnmi8F2S2ztSBmAVJ7H71ELXsURBVZpw\"\n"
+ " }\n" + " ]\n" + "}";
+ " }\n"
+ " ]\n"
+ "}";
// @formatter:on
private String jwkSetUri = "https://issuer/certs";
@ -126,8 +135,11 @@ public class NimbusReactiveJwtDecoderTests {
@Test
public void decodeWhenInvalidUrl() {
this.decoder = new NimbusReactiveJwtDecoder("https://s");
assertThatIllegalStateException().isThrownBy(() -> this.decoder.decode(this.messageReadToken).block())
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> this.decoder.decode(this.messageReadToken).block())
.withCauseInstanceOf(UnknownHostException.class);
// @formatter:on
}
@Test
@ -162,13 +174,19 @@ public class NimbusReactiveJwtDecoderTests {
@Test
public void decodeWhenNoPeriodThenFail() {
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> this.decoder.decode("").block());
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.decoder.decode("").block());
// @formatter:on
}
@Test
public void decodeWhenInvalidJwkSetUrlThenFail() {
this.decoder = new NimbusReactiveJwtDecoder("http://localhost:1280/certs");
assertThatIllegalStateException().isThrownBy(() -> this.decoder.decode(this.messageReadToken).block());
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> this.decoder.decode(this.messageReadToken).block());
// @formatter:on
}
@Test
@ -179,23 +197,34 @@ public class NimbusReactiveJwtDecoderTests {
@Test
public void decodeWhenAlgNoneThenFail() {
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> this.decoder.decode(
"ew0KICAiYWxnIjogIm5vbmUiLA0KICAidHlwIjogIkpXVCINCn0.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJpYXQiOiAxNTE2MjM5MDIyDQp9.")
.block()).withMessage("Unsupported algorithm of none");
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.decoder
.decode("ew0KICAiYWxnIjogIm5vbmUiLA0KICAidHlwIjogIkpXVCINCn0.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJpYXQiOiAxNTE2MjM5MDIyDQp9.")
.block()
)
.withMessage("Unsupported algorithm of none");
// @formatter:on
}
@Test
public void decodeWhenInvalidAlgMismatchThenFail() {
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> this.decoder.decode(
"ew0KICAiYWxnIjogIkVTMjU2IiwNCiAgInR5cCI6ICJKV1QiDQp9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJpYXQiOiAxNTE2MjM5MDIyDQp9.")
.block());
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.decoder
.decode("ew0KICAiYWxnIjogIkVTMjU2IiwNCiAgInR5cCI6ICJKV1QiDQp9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJpYXQiOiAxNTE2MjM5MDIyDQp9.")
.block()
);
// @formatter:on
}
@Test
public void decodeWhenUnsignedTokenThenMessageDoesNotMentionClass() {
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.decoder.decode(this.unsignedToken).block())
.withMessage("Unsupported algorithm of none");
// @formatter:on
}
@Test
@ -205,9 +234,11 @@ public class NimbusReactiveJwtDecoderTests {
OAuth2Error error = new OAuth2Error("mock-error", "mock-description", "mock-uri");
OAuth2TokenValidatorResult result = OAuth2TokenValidatorResult.failure(error);
given(jwtValidator.validate(any(Jwt.class))).willReturn(result);
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> this.decoder.decode(this.messageReadToken).block())
.withMessageContaining("mock-description");
// @formatter:on
}
@Test
@ -219,9 +250,11 @@ public class NimbusReactiveJwtDecoderTests {
OAuth2Error error2 = new OAuth2Error("mock-error-second", "mock-description-second", "mock-uri-second");
OAuth2TokenValidatorResult result = OAuth2TokenValidatorResult.failure(errorEmpty, error, error2);
given(jwtValidator.validate(any(Jwt.class))).willReturn(result);
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> this.decoder.decode(this.messageReadToken).block())
.withMessageContaining("mock-description");
// @formatter:on
}
@Test
@ -241,18 +274,26 @@ public class NimbusReactiveJwtDecoderTests {
Converter<Map<String, Object>, Map<String, Object>> claimSetConverter = mock(Converter.class);
this.decoder.setClaimSetConverter(claimSetConverter);
given(claimSetConverter.convert(any(Map.class))).willThrow(new IllegalArgumentException("bad conversion"));
// @formatter:off
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.decoder.decode(this.messageReadToken).block());
// @formatter:on
}
@Test
public void setJwtValidatorWhenGivenNullThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.decoder.setJwtValidator(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.decoder.setJwtValidator(null));
// @formatter:on
}
@Test
public void setClaimSetConverterWhenNullThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.decoder.setClaimSetConverter(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.decoder.setClaimSetConverter(null));
// @formatter:on
}
@Test
@ -269,25 +310,39 @@ public class NimbusReactiveJwtDecoderTests {
@Test
public void withJwkSetUriWhenJwtProcessorCustomizerNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(
() -> NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri).jwtProcessorCustomizer(null).build())
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusReactiveJwtDecoder
.withJwkSetUri(this.jwkSetUri)
.jwtProcessorCustomizer(null)
.build()
)
.withMessage("jwtProcessorCustomizer cannot be null");
// @formatter:on
}
@Test
public void restOperationsWhenNullThenThrowsException() {
NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder
.withJwkSetUri(this.jwkSetUri);
assertThatIllegalArgumentException().isThrownBy(() -> builder.webClient(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> builder.webClient(null));
// @formatter:on
}
// gh-5603
@Test
public void decodeWhenSignedThenOk() {
WebClient webClient = mockJwkSetResponse(this.jwkSet);
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri).webClient(webClient)
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri)
.webClient(webClient)
.build();
assertThat(decoder.decode(this.messageReadToken).block()).extracting(Jwt::getExpiresAt).isNotNull();
assertThat(decoder.decode(this.messageReadToken).block())
.extracting(Jwt::getExpiresAt)
.isNotNull();
// @formatter:on
verify(webClient).get();
}
@ -295,66 +350,108 @@ public class NimbusReactiveJwtDecoderTests {
@Test
public void withJwkSetUriWhenUsingCustomTypeHeaderThenRefuseOmittedType() {
WebClient webClient = mockJwkSetResponse(this.jwkSet);
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri).webClient(webClient)
.jwtProcessorCustomizer(
(p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS"))))
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri)
.webClient(webClient)
.jwtProcessorCustomizer((p) -> p
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))
)
.build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(this.messageReadToken).block())
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> decoder.decode(this.messageReadToken).block())
.havingRootCause().withMessage("Required JOSE header \"typ\" (type) parameter is missing");
// @formatter:on
}
@Test
public void withPublicKeyWhenNullThenThrowsException() {
assertThatIllegalArgumentException().isThrownBy(() -> NimbusReactiveJwtDecoder.withPublicKey(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusReactiveJwtDecoder.withPublicKey(null));
// @formatter:on
}
@Test
public void buildWhenSignatureAlgorithmMismatchesKeyTypeThenThrowsException() {
assertThatIllegalStateException().isThrownBy(() -> NimbusReactiveJwtDecoder.withPublicKey(key())
.signatureAlgorithm(SignatureAlgorithm.ES256).build());
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> NimbusReactiveJwtDecoder.withPublicKey(key())
.signatureAlgorithm(SignatureAlgorithm.ES256)
.build()
);
// @formatter:on
}
@Test
public void buildWhenJwtProcessorCustomizerNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusReactiveJwtDecoder.withPublicKey(key()).jwtProcessorCustomizer(null).build())
.isThrownBy(() -> NimbusReactiveJwtDecoder.withPublicKey(key())
.jwtProcessorCustomizer(null)
.build()
)
.withMessage("jwtProcessorCustomizer cannot be null");
// @formatter:on
}
@Test
public void decodeWhenUsingPublicKeyThenSuccessfullyDecodes() throws Exception {
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withPublicKey(key()).build();
assertThat(decoder.decode(this.rsa256).block()).extracting(Jwt::getSubject).isEqualTo("test-subject");
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withPublicKey(key())
.build();
assertThat(decoder.decode(this.rsa256).block())
.extracting(Jwt::getSubject)
.isEqualTo("test-subject");
// @formatter:on
}
@Test
public void decodeWhenUsingPublicKeyWithRs512ThenSuccessfullyDecodes() throws Exception {
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withPublicKey(key())
.signatureAlgorithm(SignatureAlgorithm.RS512).build();
assertThat(decoder.decode(this.rsa512).block()).extracting(Jwt::getSubject).isEqualTo("test-subject");
.signatureAlgorithm(SignatureAlgorithm.RS512)
.build();
assertThat(decoder.decode(this.rsa512).block())
.extracting(Jwt::getSubject)
.isEqualTo("test-subject");
// @formatter:on
}
@Test
public void decodeWhenSignatureMismatchesAlgorithmThenThrowsException() throws Exception {
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withPublicKey(key())
.signatureAlgorithm(SignatureAlgorithm.RS512).build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(this.rsa256).block());
.signatureAlgorithm(SignatureAlgorithm.RS512)
.build();
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> decoder
.decode(this.rsa256)
.block()
);
// @formatter:on
}
// gh-8730
@Test
public void withPublicKeyWhenUsingCustomTypeHeaderThenRefuseOmittedType() throws Exception {
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withPublicKey(key())
.jwtProcessorCustomizer(
(p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS"))))
.jwtProcessorCustomizer((p) -> p
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))
)
.build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(this.rsa256).block())
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> decoder.decode(this.rsa256).block())
.havingRootCause().withMessage("Required JOSE header \"typ\" (type) parameter is missing");
// @formatter:on
}
@Test
public void withJwkSourceWhenNullThenThrowsException() {
assertThatIllegalArgumentException().isThrownBy(() -> NimbusReactiveJwtDecoder.withJwkSource(null));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusReactiveJwtDecoder.withJwkSource(null));
// @formatter:on
}
@Test
@ -366,54 +463,87 @@ public class NimbusReactiveJwtDecoderTests {
@Test
public void decodeWhenCustomJwkSourceResolutionThenDecodes() {
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder
.withJwkSource((jwt) -> Flux.fromIterable(parseJWKSet(this.jwkSet).getKeys())).build();
assertThat(decoder.decode(this.messageReadToken).block()).extracting(Jwt::getExpiresAt).isNotNull();
.withJwkSource((jwt) -> Flux.fromIterable(parseJWKSet(this.jwkSet).getKeys()))
.build();
assertThat(decoder.decode(this.messageReadToken).block())
.extracting(Jwt::getExpiresAt)
.isNotNull();
// @formatter:on
}
// gh-8730
@Test
public void withJwkSourceWhenUsingCustomTypeHeaderThenRefuseOmittedType() {
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withJwkSource((jwt) -> Flux.empty())
.jwtProcessorCustomizer(
(p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS"))))
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder
.withJwkSource((jwt) -> Flux.empty())
.jwtProcessorCustomizer((p) -> p
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))
)
.build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(this.messageReadToken).block())
.havingRootCause().withMessage("Required JOSE header \"typ\" (type) parameter is missing");
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> decoder.decode(this.messageReadToken).block())
.havingRootCause()
.withMessage("Required JOSE header \"typ\" (type) parameter is missing");
// @formatter:on
}
@Test
public void withSecretKeyWhenSecretKeyNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> NimbusReactiveJwtDecoder.withSecretKey(null))
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusReactiveJwtDecoder.withSecretKey(null))
.withMessage("secretKey cannot be null");
// @formatter:on
}
@Test
public void withSecretKeyWhenJwtProcessorCustomizerNullThenThrowsIllegalArgumentException() {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(
() -> NimbusReactiveJwtDecoder.withSecretKey(secretKey).jwtProcessorCustomizer(null).build())
.isThrownBy(() -> NimbusReactiveJwtDecoder
.withSecretKey(secretKey)
.jwtProcessorCustomizer(null)
.build()
)
.withMessage("jwtProcessorCustomizer cannot be null");
// @formatter:on
}
@Test
public void withSecretKeyWhenMacAlgorithmNullThenThrowsIllegalArgumentException() {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> NimbusReactiveJwtDecoder.withSecretKey(secretKey).macAlgorithm(null))
.isThrownBy(() -> NimbusReactiveJwtDecoder
.withSecretKey(secretKey)
.macAlgorithm(null)
)
.withMessage("macAlgorithm cannot be null");
// @formatter:on
}
@Test
public void decodeWhenSecretKeyThenSuccess() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
MacAlgorithm macAlgorithm = MacAlgorithm.HS256;
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
// @formatter:off
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60)))
.build();
// @formatter:on
SignedJWT signedJWT = signedJwt(secretKey, macAlgorithm, claimsSet);
this.decoder = NimbusReactiveJwtDecoder.withSecretKey(secretKey).macAlgorithm(macAlgorithm).build();
Jwt jwt = this.decoder.decode(signedJWT.serialize()).block();
// @formatter:off
this.decoder = NimbusReactiveJwtDecoder.withSecretKey(secretKey)
.macAlgorithm(macAlgorithm)
.build();
Jwt jwt = this.decoder.decode(signedJWT.serialize())
.block();
// @formatter:on
assertThat(jwt.getSubject()).isEqualTo("test-subject");
}
@ -421,24 +551,34 @@ public class NimbusReactiveJwtDecoderTests {
@Test
public void withSecretKeyWhenUsingCustomTypeHeaderThenRefuseOmittedType() {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withSecretKey(secretKey)
.jwtProcessorCustomizer(
(p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS"))))
.jwtProcessorCustomizer((p) -> p
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))
)
.build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(this.messageReadToken).block())
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> decoder.decode(this.messageReadToken).block())
.havingRootCause().withMessage("Required JOSE header \"typ\" (type) parameter is missing");
// @formatter:on
}
@Test
public void decodeWhenSecretKeyAndAlgorithmMismatchThenThrowsJwtException() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
MacAlgorithm macAlgorithm = MacAlgorithm.HS256;
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.subject("test-subject")
.expirationTime(Date.from(Instant.now().plusSeconds(60)))
.build();
SignedJWT signedJWT = signedJwt(secretKey, macAlgorithm, claimsSet);
this.decoder = NimbusReactiveJwtDecoder.withSecretKey(secretKey).macAlgorithm(MacAlgorithm.HS512).build();
// @formatter:off
this.decoder = NimbusReactiveJwtDecoder.withSecretKey(secretKey)
.macAlgorithm(MacAlgorithm.HS512)
.build();
assertThatExceptionOfType(BadJwtException.class)
.isThrownBy(() -> this.decoder.decode(signedJWT.serialize()).block());
// @formatter:on
}
@Test
@ -464,9 +604,12 @@ public class NimbusReactiveJwtDecoderTests {
@Test
public void jwsKeySelectorWhenMultipleAlgorithmThenReturnsCompositeSelector() {
JWKSource<JWKSecurityContext> jwkSource = mock(JWKSource.class);
// @formatter:off
JWSKeySelector<JWKSecurityContext> jwsKeySelector = NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri)
.jwsAlgorithm(SignatureAlgorithm.RS256).jwsAlgorithm(SignatureAlgorithm.RS512)
.jwsAlgorithm(SignatureAlgorithm.RS256)
.jwsAlgorithm(SignatureAlgorithm.RS512)
.jwsKeySelector(jwkSource);
// @formatter:on
assertThat(jwsKeySelector instanceof JWSVerificationKeySelector);
JWSVerificationKeySelector<?> jwsAlgorithmMapKeySelector = (JWSVerificationKeySelector<?>) jwsKeySelector;
assertThat(jwsAlgorithmMapKeySelector.isAllowed(JWSAlgorithm.RS256)).isTrue();

110
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecodersTests.java
View File

@ -54,15 +54,30 @@ public class ReactiveJwtDecodersTests {
* Contains those parameters required to construct a ReactiveJwtDecoder as well as any
* required parameters
*/
// @formatter:off
private static final String DEFAULT_RESPONSE_TEMPLATE = "{\n"
+ " \"authorization_endpoint\": \"https://example.com/o/oauth2/v2/auth\", \n"
+ " \"id_token_signing_alg_values_supported\": [\n" + " \"RS256\"\n" + " ], \n"
+ " \"issuer\": \"%s\", \n" + " \"jwks_uri\": \"%s/.well-known/jwks.json\", \n"
+ " \"response_types_supported\": [\n" + " \"code\", \n" + " \"token\", \n"
+ " \"id_token\", \n" + " \"code token\", \n" + " \"code id_token\", \n"
+ " \"token id_token\", \n" + " \"code token id_token\", \n" + " \"none\"\n"
+ " ], \n" + " \"subject_types_supported\": [\n" + " \"public\"\n" + " ], \n"
+ " \"token_endpoint\": \"https://example.com/oauth2/v4/token\"\n" + "}";
+ " \"id_token_signing_alg_values_supported\": [\n"
+ " \"RS256\"\n"
+ " ], \n"
+ " \"issuer\": \"%s\", \n"
+ " \"jwks_uri\": \"%s/.well-known/jwks.json\", \n"
+ " \"response_types_supported\": [\n"
+ " \"code\", \n"
+ " \"token\", \n"
+ " \"id_token\", \n"
+ " \"code token\", \n"
+ " \"code id_token\", \n"
+ " \"token id_token\", \n"
+ " \"code token id_token\", \n"
+ " \"none\"\n"
+ " ], \n"
+ " \"subject_types_supported\": [\n"
+ " \"public\"\n"
+ " ], \n"
+ " \"token_endpoint\": \"https://example.com/oauth2/v4/token\"\n"
+ "}";
// @formatter:on
private static final String JWK_SET = "{\"keys\":[{\"p\":\"49neceJFs8R6n7WamRGy45F5Tv0YM-R2ODK3eSBUSLOSH2tAqjEVKOkLE5fiNA3ygqq15NcKRadB2pTVf-Yb5ZIBuKzko8bzYIkIqYhSh_FAdEEr0vHF5fq_yWSvc6swsOJGqvBEtuqtJY027u-G2gAQasCQdhyejer68zsTn8M\",\"kty\":\"RSA\",\"q\":\"tWR-ysspjZ73B6p2vVRVyHwP3KQWL5KEQcdgcmMOE_P_cPs98vZJfLhxobXVmvzuEWBpRSiqiuyKlQnpstKt94Cy77iO8m8ISfF3C9VyLWXi9HUGAJb99irWABFl3sNDff5K2ODQ8CmuXLYM25OwN3ikbrhEJozlXg_NJFSGD4E\",\"d\":\"FkZHYZlw5KSoqQ1i2RA2kCUygSUOf1OqMt3uomtXuUmqKBm_bY7PCOhmwbvbn4xZYEeHuTR8Xix-0KpHe3NKyWrtRjkq1T_un49_1LLVUhJ0dL-9_x0xRquVjhl_XrsRXaGMEHs8G9pLTvXQ1uST585gxIfmCe0sxPZLvwoic-bXf64UZ9BGRV3lFexWJQqCZp2S21HfoU7wiz6kfLRNi-K4xiVNB1gswm_8o5lRuY7zB9bRARQ3TS2G4eW7p5sxT3CgsGiQD3_wPugU8iDplqAjgJ5ofNJXZezoj0t6JMB_qOpbrmAM1EnomIPebSLW7Ky9SugEd6KMdL5lW6AuAQ\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"one\",\"qi\":\"wdkFu_tV2V1l_PWUUimG516Zvhqk2SWDw1F7uNDD-Lvrv_WNRIJVzuffZ8WYiPy8VvYQPJUrT2EXL8P0ocqwlaSTuXctrORcbjwgxDQDLsiZE0C23HYzgi0cofbScsJdhcBg7d07LAf7cdJWG0YVl1FkMCsxUlZ2wTwHfKWf-v4\",\"dp\":\"uwnPxqC-IxG4r33-SIT02kZC1IqC4aY7PWq0nePiDEQMQWpjjNH50rlq9EyLzbtdRdIouo-jyQXB01K15-XXJJ60dwrGLYNVqfsTd0eGqD1scYJGHUWG9IDgCsxyEnuG3s0AwbW2UolWVSsU2xMZGb9PurIUZECeD1XDZwMp2s0\",\"dq\":\"hra786AunB8TF35h8PpROzPoE9VJJMuLrc6Esm8eZXMwopf0yhxfN2FEAvUoTpLJu93-UH6DKenCgi16gnQ0_zt1qNNIVoRfg4rw_rjmsxCYHTVL3-RDeC8X_7TsEySxW0EgFTHh-nr6I6CQrAJjPM88T35KHtdFATZ7BCBB8AE\",\"n\":\"oXJ8OyOv_eRnce4akdanR4KYRfnC2zLV4uYNQpcFn6oHL0dj7D6kxQmsXoYgJV8ZVDn71KGmuLvolxsDncc2UrhyMBY6DVQVgMSVYaPCTgW76iYEKGgzTEw5IBRQL9w3SRJWd3VJTZZQjkXef48Ocz06PGF3lhbz4t5UEZtdF4rIe7u-977QwHuh7yRPBQ3sII-cVoOUMgaXB9SHcGF2iZCtPzL_IffDUcfhLQteGebhW8A6eUHgpD5A1PQ-JCw_G7UOzZAjjDjtNM2eqm8j-Ms_gqnm4MiCZ4E-9pDN77CAAPVN7kuX6ejs9KBXpk01z48i9fORYk9u7rAkh1HuQw\"}]}";
@ -93,48 +108,60 @@ public class ReactiveJwtDecodersTests {
public void issuerWhenResponseIsTypicalThenReturnedDecoderValidatesIssuer() {
prepareConfigurationResponse();
ReactiveJwtDecoder decoder = ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer);
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> decoder.decode(ISSUER_MISMATCH).block())
.withMessageContaining("The iss claim is not valid");
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackResponseIsTypicalThenReturnedDecoderValidatesIssuer() {
prepareConfigurationResponseOidc();
ReactiveJwtDecoder decoder = ReactiveJwtDecoders.fromIssuerLocation(this.issuer);
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> decoder.decode(ISSUER_MISMATCH).block())
.withMessageContaining("The iss claim is not valid");
// @formatter:on
}
@Test
public void issuerWhenOAuth2ResponseIsTypicalThenReturnedDecoderValidatesIssuer() {
prepareConfigurationResponseOAuth2();
ReactiveJwtDecoder decoder = ReactiveJwtDecoders.fromIssuerLocation(this.issuer);
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class)
.isThrownBy(() -> decoder.decode(ISSUER_MISMATCH).block())
.withMessageContaining("The iss claim is not valid");
// @formatter:on
}
@Test
public void issuerWhenResponseIsNonCompliantThenThrowsRuntimeException() {
prepareConfigurationResponse("{ \"missing_required_keys\" : \"and_values\" }");
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackResponseIsNonCompliantThenThrowsRuntimeException() {
prepareConfigurationResponseOidc("{ \"missing_required_keys\" : \"and_values\" }");
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOAuth2ResponseIsNonCompliantThenThrowsRuntimeException() {
prepareConfigurationResponseOAuth2("{ \"missing_required_keys\" : \"and_values\" }");
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
// gh-7512
@ -142,8 +169,11 @@ public class ReactiveJwtDecodersTests {
public void issuerWhenResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException()
throws JsonMappingException, JsonProcessingException {
prepareConfigurationResponse(this.buildResponseWithMissingJwksUri());
assertThatIllegalArgumentException().isThrownBy(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer))
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer))
.withMessage("The public JWK set URI must not be null");
// @formatter:on
}
// gh-7512
@ -151,8 +181,11 @@ public class ReactiveJwtDecodersTests {
public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException()
throws JsonMappingException, JsonProcessingException {
prepareConfigurationResponseOidc(this.buildResponseWithMissingJwksUri());
assertThatIllegalArgumentException().isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer))
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer))
.withMessage("The public JWK set URI must not be null");
// @formatter:on
}
// gh-7512
@ -160,62 +193,85 @@ public class ReactiveJwtDecodersTests {
public void issuerWhenOAuth2ResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException()
throws JsonMappingException, JsonProcessingException {
prepareConfigurationResponseOAuth2(this.buildResponseWithMissingJwksUri());
assertThatIllegalArgumentException().isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer))
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer))
.withMessage("The public JWK set URI must not be null");
// @formatter:on
}
@Test
public void issuerWhenResponseIsMalformedThenThrowsRuntimeException() {
prepareConfigurationResponse("malformed");
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackResponseIsMalformedThenThrowsRuntimeException() {
prepareConfigurationResponseOidc("malformed");
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOAuth2ResponseIsMalformedThenThrowsRuntimeException() {
prepareConfigurationResponseOAuth2("malformed");
// @formatter:off
assertThatExceptionOfType(RuntimeException.class)
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenRespondingIssuerMismatchesRequestedIssuerThenThrowsIllegalStateException() {
prepareConfigurationResponse(String.format(DEFAULT_RESPONSE_TEMPLATE, this.issuer + "/wrong", this.issuer));
assertThatIllegalStateException().isThrownBy(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer));
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackRespondingIssuerMismatchesRequestedIssuerThenThrowsIllegalStateException() {
prepareConfigurationResponseOidc(String.format(DEFAULT_RESPONSE_TEMPLATE, this.issuer + "/wrong", this.issuer));
assertThatIllegalStateException().isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenOAuth2RespondingIssuerMismatchesRequestedIssuerThenThrowsIllegalStateException() {
prepareConfigurationResponseOAuth2(
String.format(DEFAULT_RESPONSE_TEMPLATE, this.issuer + "/wrong", this.issuer));
assertThatIllegalStateException().isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation(this.issuer));
// @formatter:on
}
@Test
public void issuerWhenRequestedIssuerIsUnresponsiveThenThrowsIllegalArgumentException() throws Exception {
this.server.shutdown();
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> ReactiveJwtDecoders.fromOidcIssuerLocation("https://issuer"));
// @formatter:on
}
@Test
public void issuerWhenOidcFallbackRequestedIssuerIsUnresponsiveThenThrowsIllegalArgumentException()
throws Exception {
this.server.shutdown();
assertThatIllegalArgumentException().isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation("https://issuer"));
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> ReactiveJwtDecoders.fromIssuerLocation("https://issuer"));
// @formatter:on
}
private void prepareConfigurationResponse() {
@ -256,8 +312,13 @@ public class ReactiveJwtDecodersTests {
Dispatcher dispatcher = new Dispatcher() {
@Override
public MockResponse dispatch(RecordedRequest request) {
return Optional.of(request).map(RecordedRequest::getRequestUrl).map(HttpUrl::toString)
.map(responses::get).orElse(new MockResponse().setResponseCode(404));
// @formatter:off
return Optional.of(request)
.map(RecordedRequest::getRequestUrl)
.map(HttpUrl::toString)
.map(responses::get)
.orElse(new MockResponse().setResponseCode(404));
// @formatter:on
}
};
this.server.setDispatcher(dispatcher);
@ -269,12 +330,20 @@ public class ReactiveJwtDecodersTests {
private String oidc() {
URI uri = URI.create(this.issuer);
return UriComponentsBuilder.fromUri(uri).replacePath(uri.getPath() + OIDC_METADATA_PATH).toUriString();
// @formatter:off
return UriComponentsBuilder.fromUri(uri)
.replacePath(uri.getPath() + OIDC_METADATA_PATH)
.toUriString();
// @formatter:on
}
private String oauth() {
URI uri = URI.create(this.issuer);
return UriComponentsBuilder.fromUri(uri).replacePath(OAUTH_METADATA_PATH + uri.getPath()).toUriString();
// @formatter:off
return UriComponentsBuilder.fromUri(uri)
.replacePath(OAUTH_METADATA_PATH + uri.getPath())
.toUriString();
// @formatter:on
}
private String jwks() {
@ -282,7 +351,10 @@ public class ReactiveJwtDecodersTests {
}
private MockResponse response(String body) {
return new MockResponse().setBody(body).setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
// @formatter:off
return new MockResponse().setBody(body)
.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
// @formatter:on
}
public String buildResponseWithMissingJwksUri() throws JsonMappingException, JsonProcessingException {

32
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveRemoteJWKSourceTests.java
View File

@ -52,23 +52,43 @@ public class ReactiveRemoteJWKSourceTests {
private MockWebServer server;
private String keys = "{\n" + " \"keys\": [\n" + " {\n" + " \"alg\": \"RS256\", \n"
// @formatter:off
private String keys = "{\n"
+ " \"keys\": [\n"
+ " {\n"
+ " \"alg\": \"RS256\", \n"
+ " \"e\": \"AQAB\", \n"
+ " \"kid\": \"1923397381d9574bb873202a90c32b7ceeaed027\", \n"
+ " \"kty\": \"RSA\", \n"
+ " \"n\": \"m4I5Dk5GnbzzUtqaljDVbpMONi1JLNJ8ZuXE8VvjCAVebDg5vTYhQ33jUwGgbn1wFmytUMgMmvK8A8Gpshl0sO2GBIZoh6_pwLrk657ZEtv-hx9fYKnzwyrfHqxtSswMAyr7XtKl8Ha1I03uFMSaYaaBTwVXCHByhzr4PVXfKAYJNbbcteUZfE8ODlBQkjQLI0IB78Nu8XIRrdzTF_5LCuM6rLUNtX6_KdzPpeX9KEtB7OBAfkdZEtBzGI-aYNLtIaL4qO6cVxBeVDLMoj9kVsRPylrwhEFQcGOjtJhwJwXFzTMZVhkiLFCHxZkkjoMrK5osSRlhduuGI9ot8XTUKQ\", \n"
+ " \"use\": \"sig\"\n" + " }, \n" + " {\n" + " \"alg\": \"RS256\", \n"
+ " \"use\": \"sig\"\n"
+ " }, \n"
+ " {\n"
+ " \"alg\": \"RS256\", \n"
+ " \"e\": \"AQAB\", \n"
+ " \"kid\": \"7ddf54d3032d1f0d48c3618892ca74c1ac30ad77\", \n"
+ " \"kty\": \"RSA\", \n"
+ " \"n\": \"yLlYyux949b7qS-DdqTNjdZb4NtqiNH-Jt7DtRxmfW9XZLOQ6Q2NYgmPe9hyy5GHG7W3zsd6Q-rzq5eGRNEUx1767K1dS5PtkVWPiPG_M7rDqCu3HsLmKQKhRjHYaCWl5NuiMB5mXoPhSwrHd2yeGE7QHIV7_CiQFc1xQsXeiC-nTeJohJO3HI97w0GXE8pHspLYq9oG87f5IHxFr89abmwRug-D7QWQyW5b4doe4ZL-52J-8WHd52kGrGfu4QyV83oAad3I_9Q-yiWOXUr_0GIrzz4_-u5HgqYexnodFhZZSaKuRSg_b5qCnPhW8gBDLAHkmQzQMaWsN14L0pokbQ\", \n"
+ " \"use\": \"sig\"\n" + " }\n" + " ]\n" + "}\n";
+ " \"use\": \"sig\"\n"
+ " }\n"
+ " ]\n"
+ "}\n";
// @formatter:on
private String keys2 = "{\n" + " \"keys\": [\n" + " {\n" + " \"alg\": \"RS256\", \n"
+ " \"e\": \"AQAB\", \n" + " \"kid\": \"rotated\", \n"
// @formatter:off
private String keys2 = "{\n"
+ " \"keys\": [\n"
+ " {\n"
+ " \"alg\": \"RS256\", \n"
+ " \"e\": \"AQAB\", \n"
+ " \"kid\": \"rotated\", \n"
+ " \"kty\": \"RSA\", \n"
+ " \"n\": \"m4I5Dk5GnbzzUtqaljDVbpMONi1JLNJ8ZuXE8VvjCAVebDg5vTYhQ33jUwGgbn1wFmytUMgMmvK8A8Gpshl0sO2GBIZoh6_pwLrk657ZEtv-hx9fYKnzwyrfHqxtSswMAyr7XtKl8Ha1I03uFMSaYaaBTwVXCHByhzr4PVXfKAYJNbbcteUZfE8ODlBQkjQLI0IB78Nu8XIRrdzTF_5LCuM6rLUNtX6_KdzPpeX9KEtB7OBAfkdZEtBzGI-aYNLtIaL4qO6cVxBeVDLMoj9kVsRPylrwhEFQcGOjtJhwJwXFzTMZVhkiLFCHxZkkjoMrK5osSRlhduuGI9ot8XTUKQ\", \n"
+ " \"use\": \"sig\"\n" + " }\n" + " ]\n" + "}\n";
+ " \"use\": \"sig\"\n"
+ " }\n"
+ " ]\n"
+ "}\n";
// @formatter:on
@Before
public void setup() {

20
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/TestJwts.java
View File

@ -25,13 +25,25 @@ public final class TestJwts {
}
public static Jwt.Builder jwt() {
return Jwt.withTokenValue("token").header("alg", "none").audience(Arrays.asList("https://audience.example.org"))
.expiresAt(Instant.MAX).issuedAt(Instant.MIN).issuer("https://issuer.example.org").jti("jti")
.notBefore(Instant.MIN).subject("mock-test-subject");
// @formatter:off
return Jwt.withTokenValue("token")
.header("alg", "none")
.audience(Arrays.asList("https://audience.example.org"))
.expiresAt(Instant.MAX)
.issuedAt(Instant.MIN)
.issuer("https://issuer.example.org")
.jti("jti")
.notBefore(Instant.MIN)
.subject("mock-test-subject");
// @formatter:on
}
public static Jwt user() {
return jwt().claim("sub", "mock-test-subject").build();
// @formatter:off
return jwt()
.claim("sub", "mock-test-subject")
.build();
// @formatter:on
}
}