You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/09/16 12:21:09 UTC
[cxf] 03/09: Adding a couple more OAuth system tests
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit cb4a9f4f0b7acc13c3a966b5990c3f3ae0415a5f
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Sep 11 19:28:22 2019 +0100
Adding a couple more OAuth system tests
(cherry picked from commit 9933ba2c19e1341d291eb4aa48fb24a19533261f)
---
.../grants/AuthorizationGrantNegativeTest.java | 82 ++++++++++++++++++++++
1 file changed, 82 insertions(+)
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
index 5b70662..1cd5e51 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
@@ -41,6 +41,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
import org.apache.cxf.systest.jaxrs.security.SecurityTestUtil;
import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils;
import org.apache.cxf.systest.jaxrs.security.oauth2.common.SamlCallbackHandler;
@@ -58,6 +59,7 @@ import org.junit.runner.RunWith;
import org.junit.runners.Parameterized.Parameters;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -168,6 +170,46 @@ public class AuthorizationGrantNegativeTest extends AbstractBusClientServerTestB
assertEquals(400, response.getStatus());
}
+ // The redirect URI if in the authz request, must be in the token request and must match
+ @org.junit.Test
+ public void testNonMatchingRedirectURI() throws Exception {
+ URL busFile = AuthorizationGrantTest.class.getResource("client.xml");
+
+ String address = "https://localhost:" + port + "/services/";
+ WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+ "alice", "security", busFile.toString());
+ // Save the Cookie for the second request...
+ WebClient.getConfig(client).getRequestContext().put(
+ org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+ // Get Authorization Code
+ String code = OAuth2TestUtils.getAuthorizationCode(client);
+ assertNotNull(code);
+
+ // Now get the access token
+ client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+ "consumer-id", "this-is-a-secret", busFile.toString());
+ // Save the Cookie for the second request...
+ WebClient.getConfig(client).getRequestContext().put(
+ org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+ client.type("application/x-www-form-urlencoded").accept("application/json");
+ client.path("token");
+
+ Form form = new Form();
+ form.param("grant_type", "authorization_code");
+ form.param("code", code);
+ form.param("client_id", "consumer-id");
+ form.param("redirect_uri", "http://www.bad.blah.apache.org");
+ Response response = client.post(form);
+ try {
+ response.readEntity(ClientAccessToken.class);
+ fail("Failure expected on not sending the correct redirect URI");
+ } catch (ResponseProcessingException ex) {
+ //expected
+ }
+ }
+
@org.junit.Test
public void testResponseType() throws Exception {
URL busFile = AuthorizationGrantTest.class.getResource("client.xml");
@@ -673,6 +715,46 @@ public class AuthorizationGrantNegativeTest extends AbstractBusClientServerTestB
}
}
+ // We shouldn't be able to get a refresh token using the implicit grant
+ @org.junit.Test
+ public void testRefreshImplicitGrant() throws Exception {
+ URL busFile = AuthorizationGrantTest.class.getResource("client.xml");
+
+ String address = "https://localhost:" + port + "/services/";
+ WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+ "alice", "security", busFile.toString());
+ // Save the Cookie for the second request...
+ WebClient.getConfig(client).getRequestContext().put(
+ org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+ // Get Access Token
+ client.type("application/json").accept("application/json");
+ client.query("client_id", "consumer-id");
+ client.query("redirect_uri", "http://www.blah.apache.org");
+ client.query("response_type", "token");
+ client.path("authorize-implicit/");
+ Response response = client.get();
+
+ OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class);
+
+ // Now call "decision" to get the access token
+ client.path("decision");
+ client.type("application/x-www-form-urlencoded");
+
+ Form form = new Form();
+ form.param("session_authenticity_token", authzData.getAuthenticityToken());
+ form.param("client_id", authzData.getClientId());
+ form.param("redirect_uri", authzData.getRedirectUri());
+ form.param("oauthDecision", "allow");
+
+ response = client.post(form);
+
+ String location = response.getHeaderString("Location");
+ String accessToken = OAuth2TestUtils.getSubstring(location, "access_token");
+ assertNotNull(accessToken);
+ assertFalse(location.contains("refresh"));
+ }
+
//
// SAML Authorization grants
//