cubetiq/ spring-authorization-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Polish gh-31

This commit is contained in:
Joe Grandja 2020-05-17 19:34:53 -04:00
parent fa5c3510a9
commit 26c3941a20
6 changed files with 81 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build.gradle
View File

@ -16,8 +16,6 @@ group = 'org.springframework.security.experimental'
description = 'Spring Authorization Server' description = 'Spring Authorization Server'
version = '0.0.1-SNAPSHOT' version = '0.0.1-SNAPSHOT'
ext['junit-jupiter.version'] = '5.4.0'
repositories { repositories {
mavenCentral() mavenCentral()
} }

6
samples/boot/minimal/spring-authorization-server-samples-boot-minimal.gradle
View File

@ -3,17 +3,11 @@ apply plugin: 'io.spring.convention.spring-sample-boot'
dependencies { dependencies {
implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'com.nimbusds:oauth2-oidc-sdk' implementation 'com.nimbusds:oauth2-oidc-sdk'
testImplementation('org.springframework.boot:spring-boot-starter-test') { testImplementation('org.springframework.boot:spring-boot-starter-test') {
exclude group: 'org.junit.vintage', module: 'junit-vintage-engine' exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
} }
testImplementation 'org.springframework.security:spring-security-test'
testRuntime("org.junit.platform:junit-platform-runner")
testRuntime("org.junit.jupiter:junit-jupiter-engine")
} }
test { test {

37
samples/boot/minimal/src/main/java/sample/JwkSetEndpointFilter.java
View File

@ -13,35 +13,27 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package sample; package sample;
import static org.springframework.http.HttpMethod.GET; import com.nimbusds.jose.jwk.JWKSet;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import java.io.IOException; import org.springframework.util.Assert;
import java.io.Writer; import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.Writer;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import static org.springframework.http.HttpMethod.GET;
import org.springframework.security.web.util.matcher.RequestMatcher; import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UrlPathHelper;
import com.nimbusds.jose.jwk.JWKSet;
public class JwkSetEndpointFilter extends OncePerRequestFilter { public class JwkSetEndpointFilter extends OncePerRequestFilter {
static final String DEFAULT_JWK_SET_URI = "/oauth2/jwks";
static final String WELL_KNOWN_JWK_URIS = "/.well-known/jwk_uris"; private final RequestMatcher requestMatcher = new AntPathRequestMatcher(DEFAULT_JWK_SET_URI, GET.name());
private final RequestMatcher requestMatcher = new AntPathRequestMatcher(WELL_KNOWN_JWK_URIS, GET.name(), true,
new UrlPathHelper());
private final JWKSet jwkSet; private final JWKSet jwkSet;
public JwkSetEndpointFilter(JWKSet jwkSet) { public JwkSetEndpointFilter(JWKSet jwkSet) {
@ -53,7 +45,7 @@ public class JwkSetEndpointFilter extends OncePerRequestFilter {
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException { throws ServletException, IOException {
if (ifRequestMatches(request)) { if (matchesRequest(request)) {
respond(response); respond(response);
} else { } else {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
@ -63,12 +55,11 @@ public class JwkSetEndpointFilter extends OncePerRequestFilter {
private void respond(HttpServletResponse response) throws IOException { private void respond(HttpServletResponse response) throws IOException {
response.setContentType(APPLICATION_JSON_VALUE); response.setContentType(APPLICATION_JSON_VALUE);
try (Writer writer = response.getWriter()) { try (Writer writer = response.getWriter()) {
writer.write(jwkSet.toPublicJWKSet().toJSONObject().toJSONString()); writer.write(this.jwkSet.toPublicJWKSet().toJSONObject().toJSONString());
} }
} }
private boolean ifRequestMatches(HttpServletRequest request) { private boolean matchesRequest(HttpServletRequest request) {
return this.requestMatcher.matches(request); return this.requestMatcher.matches(request);
} }
} }

15
samples/boot/minimal/src/main/java/sample/SecurityConfig.java
View File

@ -13,31 +13,28 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package sample; package sample;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse; import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator; import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
@EnableWebSecurity @EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter { public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new JwkSetEndpointFilter(generateJwkSet()), ChannelProcessingFilter.class); http.addFilterBefore(new JwkSetEndpointFilter(generateJwkSet()), LogoutFilter.class);
} }
protected JWKSet generateJwkSet() throws JOSEException { private JWKSet generateJwkSet() throws JOSEException {
JWK jwk = new RSAKeyGenerator(2048).keyID("minimal-ASA").keyUse(KeyUse.SIGNATURE).generate(); JWK jwk = new RSAKeyGenerator(2048).keyID("minimal-ASA").keyUse(KeyUse.SIGNATURE).generate();
return new JWKSet(jwk); return new JWKSet(jwk);
} }
} }

107
samples/boot/minimal/src/test/java/sample/JwkSetEndpointFilterTest.java → samples/boot/minimal/src/test/java/sample/JwkSetEndpointFilterTests.java
View File

@ -13,31 +13,17 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package sample; package sample;
import static org.assertj.core.api.Assertions.assertThatThrownBy; import com.nimbusds.jose.JOSEException;
import static org.hamcrest.Matchers.is; import com.nimbusds.jose.jwk.JWK;
import static org.mockito.Mockito.mock; import com.nimbusds.jose.jwk.JWKSet;
import static org.mockito.Mockito.never; import com.nimbusds.jose.jwk.KeyUse;
import static org.mockito.Mockito.only; import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
import static org.mockito.Mockito.verify;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static sample.JwkSetEndpointFilter.WELL_KNOWN_JWK_URIS;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestInstance; import org.junit.jupiter.api.TestInstance;
import org.junit.jupiter.api.TestInstance.Lifecycle; import org.junit.jupiter.api.TestInstance.Lifecycle;
import org.mockito.Mockito;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MockMvc;
@ -45,36 +31,48 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import com.nimbusds.jose.JOSEException; import javax.servlet.FilterChain;
import com.nimbusds.jose.jwk.JWK; import javax.servlet.http.HttpServletRequest;
import com.nimbusds.jose.jwk.JWKSet; import javax.servlet.http.HttpServletResponse;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator; import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.hamcrest.Matchers.is;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.only;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static sample.JwkSetEndpointFilter.DEFAULT_JWK_SET_URI;
@TestInstance(Lifecycle.PER_CLASS) @TestInstance(Lifecycle.PER_CLASS)
public class JwkSetEndpointFilterTest { public class JwkSetEndpointFilterTests {
private MockMvc mvc;
private JWKSet jwkSet;
private JWK jwk; private JWK jwk;
private JWKSet jwkSet;
private JwkSetEndpointFilter filter; private JwkSetEndpointFilter filter;
private MockMvc mvc;
@BeforeAll @BeforeAll
void setup() throws JOSEException { void setup() throws JOSEException {
this.jwk = new RSAKeyGenerator(2048).keyID("endpoint-test").keyUse(KeyUse.SIGNATURE).generate(); this.jwk = new RSAKeyGenerator(2048).keyID("endpoint-test").keyUse(KeyUse.SIGNATURE).generate();
this.jwkSet = new JWKSet(jwk); this.jwkSet = new JWKSet(this.jwk);
this.filter = new JwkSetEndpointFilter(jwkSet); this.filter = new JwkSetEndpointFilter(this.jwkSet);
this.mvc = MockMvcBuilders.standaloneSetup(new FakeController()).addFilters(filter).alwaysDo(print()).build(); this.mvc = MockMvcBuilders.standaloneSetup(new HelloController()).addFilters(this.filter).alwaysDo(print()).build();
} }
@Test @Test
void constructorWhenJsonWebKeySetIsNullThrowIllegalArgumentException() { void constructorWhenJWKSetNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> new JwkSetEndpointFilter(null)).isInstanceOf(IllegalArgumentException.class); assertThatThrownBy(() -> new JwkSetEndpointFilter(null))
.isInstanceOf(IllegalArgumentException.class);
} }
@Test @Test
void doFilterWhenPathMatches() throws Exception { void doFilterWhenRequestMatchesThenProcess() throws Exception {
String requestUri = WELL_KNOWN_JWK_URIS; String requestUri = DEFAULT_JWK_SET_URI;
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri); MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri); request.setServletPath(requestUri);
@ -83,13 +81,12 @@ public class JwkSetEndpointFilterTest {
this.filter.doFilter(request, response, filterChain); this.filter.doFilter(request, response, filterChain);
verify(filterChain, never()).doFilter(Mockito.any(HttpServletRequest.class), verifyNoInteractions(filterChain);
Mockito.any(HttpServletResponse.class));
} }
@Test @Test
void doFilterWhenPathDoesNotMatch() throws Exception { void doFilterWhenRequestDoesNotMatchThenContinueChain() throws Exception {
String requestUri = "/stuff/" + WELL_KNOWN_JWK_URIS; String requestUri = "/path";
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri); MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri); request.setServletPath(requestUri);
@ -98,30 +95,34 @@ public class JwkSetEndpointFilterTest {
this.filter.doFilter(request, response, filterChain); this.filter.doFilter(request, response, filterChain);
verify(filterChain, only()).doFilter(Mockito.any(HttpServletRequest.class), verify(filterChain, only()).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
Mockito.any(HttpServletResponse.class));
} }
@Test @Test
void testResponseIfRequestMatches() throws Exception { void requestWhenMatchesThenResponseContainsKeys() throws Exception {
mvc.perform(get(WELL_KNOWN_JWK_URIS)).andDo(print()).andExpect(status().isOk()) this.mvc.perform(get(DEFAULT_JWK_SET_URI))
.andExpect(jsonPath("$.keys").isArray()).andExpect(jsonPath("$.keys").isNotEmpty()) .andDo(print())
.andExpect(jsonPath("$.keys[0].kid").value(jwk.getKeyID())) .andExpect(status().isOk())
.andExpect(jsonPath("$.keys[0].kty").value(jwk.getKeyType().toString())); .andExpect(jsonPath("$.keys").isArray())
.andExpect(jsonPath("$.keys").isNotEmpty())
.andExpect(jsonPath("$.keys[0].kid").value(this.jwk.getKeyID()))
.andExpect(jsonPath("$.keys[0].kty").value(this.jwk.getKeyType().toString()));
} }
@Test @Test
void testResponseIfNotRequestMatches() throws Exception { void requestWhenDoesNotMatchThenResponseContainsOther() throws Exception {
mvc.perform(get("/fake")).andDo(print()).andExpect(status().isOk()) this.mvc.perform(get("/hello"))
.andExpect(content().string(is("fake"))); .andDo(print())
.andExpect(status().isOk())
.andExpect(content().string(is("hello")));
} }
@RestController @RestController
class FakeController { static class HelloController {
@RequestMapping("/fake") @RequestMapping("/hello")
public String hello() { String hello() {
return "fake"; return "hello";
} }
} }
} }

16
samples/boot/minimal/src/test/java/sample/MinimalAuthorizationServerApplicationTests.java
View File

@ -15,29 +15,27 @@
*/ */
package sample; package sample;
import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.http.HttpStatus.OK;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
import org.springframework.boot.web.server.LocalServerPort; import org.springframework.boot.web.server.LocalServerPort;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.web.client.RestTemplate; import org.springframework.web.client.RestTemplate;
import static org.assertj.core.api.Assertions.assertThat;
@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
public class MinimalAuthorizationServerApplicationTests { public class MinimalAuthorizationServerApplicationTests {
private RestTemplate rest = new RestTemplate(); private RestTemplate rest = new RestTemplate();
@LocalServerPort @LocalServerPort
private int serverPort; private int serverPort;
@Test @Test
void verifyJwkSetEndpointFilterAccessibleWithoutAuthentication() { void requestWhenNotAuthenticatedThenJwkSetEndpointStillAccessible() {
ResponseEntity<String> responseEntity = rest.getForEntity( ResponseEntity<String> responseEntity = this.rest.getForEntity(
"http://localhost:" + serverPort + JwkSetEndpointFilter.WELL_KNOWN_JWK_URIS, String.class); "http://localhost:" + this.serverPort + JwkSetEndpointFilter.DEFAULT_JWK_SET_URI, String.class);
assertThat(responseEntity.getStatusCode()).isEqualTo(OK); assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.OK);
} }
} }