Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Test for Malformed Scope 

Fixes gh-7563
This commit is contained in:
Josh Cummings 2019-10-28 16:50:15 -06:00
parent badb0a08c6
commit ed02ef9773
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospectorTests.java
View File

@ -25,6 +25,7 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject; import net.minidev.json.JSONObject;
import okhttp3.mockwebserver.Dispatcher; import okhttp3.mockwebserver.Dispatcher;
import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockResponse;
@ -100,10 +101,24 @@ public class NimbusOpaqueTokenIntrospectorTests {
" \"iss\" : \"badissuer\"\n" + " \"iss\" : \"badissuer\"\n" +
" }"; " }";
private static final String MALFORMED_SCOPE_RESPONSE = "{\n" +
" \"active\": true,\n" +
" \"client_id\": \"l238j323ds-23ij4\",\n" +
" \"username\": \"jdoe\",\n" +
" \"scope\": [ \"read\", \"write\", \"dolphin\" ],\n" +
" \"sub\": \"Z5O3upPC88QrAjx00dis\",\n" +
" \"aud\": \"https://protected.example.net/resource\",\n" +
" \"iss\": \"https://server.example.com/\",\n" +
" \"exp\": 1419356238,\n" +
" \"iat\": 1419350238,\n" +
" \"extension_field\": \"twenty-seven\"\n" +
" }";
private static final ResponseEntity<String> ACTIVE = response(ACTIVE_RESPONSE); private static final ResponseEntity<String> ACTIVE = response(ACTIVE_RESPONSE);
private static final ResponseEntity<String> INACTIVE = response(INACTIVE_RESPONSE); private static final ResponseEntity<String> INACTIVE = response(INACTIVE_RESPONSE);
private static final ResponseEntity<String> INVALID = response(INVALID_RESPONSE); private static final ResponseEntity<String> INVALID = response(INVALID_RESPONSE);
private static final ResponseEntity<String> MALFORMED_ISSUER = response(MALFORMED_ISSUER_RESPONSE); private static final ResponseEntity<String> MALFORMED_ISSUER = response(MALFORMED_ISSUER_RESPONSE);
private static final ResponseEntity<String> MALFORMED_SCOPE = response(MALFORMED_SCOPE_RESPONSE);
@Test @Test
public void introspectWhenActiveTokenThenOk() throws Exception { public void introspectWhenActiveTokenThenOk() throws Exception {
@ -230,6 +245,24 @@ public class NimbusOpaqueTokenIntrospectorTests {
.isInstanceOf(OAuth2IntrospectionException.class); .isInstanceOf(OAuth2IntrospectionException.class);
} }
// gh-7563
@Test
public void introspectWhenIntrospectionTokenReturnsMalformedScopeThenEmptyAuthorities() {
RestOperations restOperations = mock(RestOperations.class);
OpaqueTokenIntrospector introspectionClient =
new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations);
when(restOperations.exchange(any(RequestEntity.class), eq(String.class)))
.thenReturn(MALFORMED_SCOPE);
OAuth2AuthenticatedPrincipal principal = introspectionClient.introspect("token");
assertThat(principal.getAuthorities()).isEmpty();
assertThat((Object) principal.getAttribute("scope"))
.isNotNull()
.isInstanceOf(JSONArray.class);
JSONArray scope = principal.getAttribute("scope");
assertThat(scope).containsExactly("read", "write", "dolphin");
}
@Test @Test
public void constructorWhenIntrospectionUriIsNullThenIllegalArgumentException() { public void constructorWhenIntrospectionUriIsNullThenIllegalArgumentException() {
assertThatCode(() -> new NimbusOpaqueTokenIntrospector(null, CLIENT_ID, CLIENT_SECRET)) assertThatCode(() -> new NimbusOpaqueTokenIntrospector(null, CLIENT_ID, CLIENT_SECRET))