Polish gh-88

This commit is contained in:
Joe Grandja 2020-11-02 18:47:55 -05:00
parent cf82c06502
commit 6c7486429c
2 changed files with 31 additions and 7 deletions

View File

@ -18,6 +18,7 @@ package org.springframework.security.oauth2.server.authorization.authentication;
import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2Error;
@ -80,6 +81,10 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
} }
RegisteredClient registeredClient = clientPrincipal.getRegisteredClient(); RegisteredClient registeredClient = clientPrincipal.getRegisteredClient();
if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.CLIENT_CREDENTIALS)) {
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT));
}
Set<String> scopes = registeredClient.getScopes(); // Default to configured scopes Set<String> scopes = registeredClient.getScopes(); // Default to configured scopes
if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) { if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) {
Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream() Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream()

View File

@ -19,6 +19,7 @@ import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.ArgumentCaptor; import org.mockito.ArgumentCaptor;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.jose.JoseHeaderNames; import org.springframework.security.oauth2.jose.JoseHeaderNames;
@ -49,14 +50,12 @@ import static org.mockito.Mockito.when;
* @author Joe Grandja * @author Joe Grandja
*/ */
public class OAuth2ClientCredentialsAuthenticationProviderTests { public class OAuth2ClientCredentialsAuthenticationProviderTests {
private RegisteredClient registeredClient;
private OAuth2AuthorizationService authorizationService; private OAuth2AuthorizationService authorizationService;
private JwtEncoder jwtEncoder; private JwtEncoder jwtEncoder;
private OAuth2ClientCredentialsAuthenticationProvider authenticationProvider; private OAuth2ClientCredentialsAuthenticationProvider authenticationProvider;
@Before @Before
public void setUp() { public void setUp() {
this.registeredClient = TestRegisteredClients.registeredClient().build();
this.authorizationService = mock(OAuth2AuthorizationService.class); this.authorizationService = mock(OAuth2AuthorizationService.class);
this.jwtEncoder = mock(JwtEncoder.class); this.jwtEncoder = mock(JwtEncoder.class);
this.authenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider( this.authenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider(
@ -89,8 +88,9 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
@Test @Test
public void authenticateWhenClientPrincipalNotOAuth2ClientAuthenticationTokenThenThrowOAuth2AuthenticationException() { public void authenticateWhenClientPrincipalNotOAuth2ClientAuthenticationTokenThenThrowOAuth2AuthenticationException() {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
TestingAuthenticationToken clientPrincipal = new TestingAuthenticationToken( TestingAuthenticationToken clientPrincipal = new TestingAuthenticationToken(
this.registeredClient.getClientId(), this.registeredClient.getClientSecret()); registeredClient.getClientId(), registeredClient.getClientSecret());
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal); OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)) assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
@ -102,8 +102,9 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
@Test @Test
public void authenticateWhenClientPrincipalNotAuthenticatedThenThrowOAuth2AuthenticationException() { public void authenticateWhenClientPrincipalNotAuthenticatedThenThrowOAuth2AuthenticationException() {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken( OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
this.registeredClient.getClientId(), this.registeredClient.getClientSecret(), null); registeredClient.getClientId(), registeredClient.getClientSecret(), null);
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal); OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)) assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
@ -113,9 +114,25 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
.isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT); .isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
} }
@Test
public void authenticateWhenClientNotAuthorizedToRequestTokenThenThrowOAuth2AuthenticationException() {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2()
.authorizationGrantTypes(grantTypes -> grantTypes.remove(AuthorizationGrantType.CLIENT_CREDENTIALS))
.build();
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.isInstanceOf(OAuth2AuthenticationException.class)
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
.extracting("errorCode")
.isEqualTo(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
}
@Test @Test
public void authenticateWhenInvalidScopeThenThrowOAuth2AuthenticationException() { public void authenticateWhenInvalidScopeThenThrowOAuth2AuthenticationException() {
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient); RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken( OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
clientPrincipal, Collections.singleton("invalid-scope")); clientPrincipal, Collections.singleton("invalid-scope"));
@ -128,7 +145,8 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
@Test @Test
public void authenticateWhenScopeRequestedThenAccessTokenContainsScope() { public void authenticateWhenScopeRequestedThenAccessTokenContainsScope() {
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient); RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
Set<String> requestedScope = Collections.singleton("openid"); Set<String> requestedScope = Collections.singleton("openid");
OAuth2ClientCredentialsAuthenticationToken authentication = OAuth2ClientCredentialsAuthenticationToken authentication =
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScope); new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScope);
@ -142,7 +160,8 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
@Test @Test
public void authenticateWhenValidAuthenticationThenReturnAccessToken() { public void authenticateWhenValidAuthenticationThenReturnAccessToken() {
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient); RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal); OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt()); when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());