From 1466f3d2a346d79299360debca0b00f1c63fe843 Mon Sep 17 00:00:00 2001 From: Dominik Frantisek Bucik <bucik@ics.muni.cz> Date: Fri, 1 Mar 2024 13:49:35 +0100 Subject: [PATCH] =?UTF-8?q?refactor:=20=F0=9F=92=A1=20Remove=20HEART=20mod?= =?UTF-8?q?e?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../main/webapp/WEB-INF/tags/copyright.tag | 1 - .../src/main/webapp/WEB-INF/tags/header.tag | 3 - .../src/main/webapp/resources/js/client.js | 78 ++--- .../webapp/resources/template/client.html | 10 +- .../impl/BlacklistAwareRedirectResolver.java | 7 +- ...faultOAuth2ClientDetailsEntityService.java | 123 +------- .../ics/oauth2/service/impl/ServiceUtils.java | 10 - .../JWTBearerAuthenticationProvider.java | 5 - .../config/ConfigurationPropertiesBean.java | 15 +- .../TestBlacklistAwareRedirectResolver.java | 13 - ...faultOAuth2ClientDetailsEntityService.java | 269 ------------------ .../TestJWTBearerAuthenticationProvider.java | 14 - 12 files changed, 32 insertions(+), 516 deletions(-) diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag index 684f9ede4..0ac83c49d 100644 --- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag +++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag @@ -2,7 +2,6 @@ <%@ tag import="org.springframework.web.context.support.WebApplicationContextUtils" %> <%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%> <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> -<c:if test="${ config.heartMode }"><span class="pull-left"><img src="resources/images/heart_mode.png" alt="HEART Mode" title="This server is running in HEART Compliance Mode" /></span> </c:if> <% PerunOidcConfig perunOidcConfig = WebApplicationContextUtils.getWebApplicationContext(application).getBean("perunOidcConfig", PerunOidcConfig.class); %> diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/header.tag b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/header.tag index 78b270f8f..55972c19d 100644 --- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/header.tag +++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/header.tag @@ -73,9 +73,6 @@ return false; } } - - var heartMode = ${config.heartMode}; - </script> </head> diff --git a/perun-oidc-server-webapp/src/main/webapp/resources/js/client.js b/perun-oidc-server-webapp/src/main/webapp/resources/js/client.js index 90912bd1b..0cbd97cbc 100644 --- a/perun-oidc-server-webapp/src/main/webapp/resources/js/client.js +++ b/perun-oidc-server-webapp/src/main/webapp/resources/js/client.js @@ -1256,7 +1256,6 @@ var ClientFormView = Backbone.View.extend({ render: function (eventName) { var data = { client: this.model.toJSON(), - heartMode: heartMode, }; $(this.el).html(this.template(data)); @@ -1560,60 +1559,33 @@ ui.routes.push({ contacts.push(userInfo.email); } - // use a different set of defaults based on heart mode flag - if (heartMode) { - client.set( - { - tokenEndpointAuthMethod: "PRIVATE_KEY", - generateClientSecret: true, - requireAuthTime: true, - defaultMaxAge: 60000, - scope: _.uniq( - _.flatten(app.systemScopeList.defaultScopes().pluck("value")), - ), - accessTokenValiditySeconds: 3600, - refreshTokenValiditySeconds: 24 * 3600, - idTokenValiditySeconds: 300, - deviceCodeValiditySeconds: 30 * 60, - grantTypes: ["authorization_code"], - responseTypes: ["code"], - subjectType: "PUBLIC", - jwksType: "URI", - contacts: contacts, - }, - { - silent: true, - }, - ); - } else { // set up this new client to require a secret and have us // autogenerate one - client.set( - { - tokenEndpointAuthMethod: "SECRET_BASIC", - introspectionEndpointAuthMethod: "SECRET_BASIC", - revocationEndpointAuthMethod: "SECRET_BASIC", - deviceEndpointAuthMethod: "SECRET_BASIC", - generateClientSecret: true, - requireAuthTime: true, - defaultMaxAge: 60000, - scope: _.uniq( - _.flatten(app.systemScopeList.defaultScopes().pluck("value")), - ), - accessTokenValiditySeconds: 3600, - idTokenValiditySeconds: 600, - deviceCodeValiditySeconds: 30 * 60, - grantTypes: ["authorization_code"], - responseTypes: ["code"], - subjectType: "PUBLIC", - jwksType: "URI", - contacts: contacts, - }, - { - silent: true, - }, - ); - } + client.set( + { + tokenEndpointAuthMethod: "SECRET_BASIC", + introspectionEndpointAuthMethod: "SECRET_BASIC", + revocationEndpointAuthMethod: "SECRET_BASIC", + deviceEndpointAuthMethod: "SECRET_BASIC", + generateClientSecret: true, + requireAuthTime: true, + defaultMaxAge: 60000, + scope: _.uniq( + _.flatten(app.systemScopeList.defaultScopes().pluck("value")), + ), + accessTokenValiditySeconds: 3600, + idTokenValiditySeconds: 600, + deviceCodeValiditySeconds: 30 * 60, + grantTypes: ["authorization_code"], + responseTypes: ["code"], + subjectType: "PUBLIC", + jwksType: "URI", + contacts: contacts, + }, + { + silent: true, + }, + ); $("#content").html(view.render().el); setPageTitle($.t("client.client-form.new")); diff --git a/perun-oidc-server-webapp/src/main/webapp/resources/template/client.html b/perun-oidc-server-webapp/src/main/webapp/resources/template/client.html index e41f522b9..24d46286d 100644 --- a/perun-oidc-server-webapp/src/main/webapp/resources/template/client.html +++ b/perun-oidc-server-webapp/src/main/webapp/resources/template/client.html @@ -384,27 +384,25 @@ <div class="controls"> <div> - <input id="grantTypes-authorization_code" <%= heartMode ? 'type="radio" name="grantType"' : 'type="checkbox"' %> + <input id="grantTypes-authorization_code" type="checkbox"> <%-($.inArray("authorization_code", client.grantTypes) > -1 ? 'checked' : '')%>> <label for="grantTypes-authorization_code" class="checkbox" data-i18n="client.client-form.authorization-code">authorization code</label> </div> <div> - <input id="grantTypes-client_credentials" <%= heartMode ? 'type="radio" name="grantType"' : 'type="checkbox"' %> + <input id="grantTypes-client_credentials" type="checkbox"> <%-($.inArray("client_credentials", client.grantTypes) > -1 ? 'checked' : '')%>> <label for="grantTypes-client_credentials" class="checkbox" data-i18n="client.client-form.client-credentials">client credentials</label> </div> - <% if (!heartMode) { // disable password on heart mode %> <div> - <input id="grantTypes-password" type="checkbox" + <input id="grantTypes-password" type="checkbox"> <%-($.inArray("password", client.grantTypes) > -1 ? 'checked' : '')%>> <label for="grantTypes-password" class="checkbox" data-i18n="client.client-form.password">password</label> </div> - <% } %> <div> - <input id="grantTypes-implicit" <%= heartMode ? 'type="radio" name="grantType"' : 'type="checkbox"' %> + <input id="grantTypes-implicit" type="checkbox"> <%-($.inArray("implicit", client.grantTypes) > -1 ? 'checked' : '')%>> <label for="grantTypes-implicit" class="checkbox" data-i18n="client.client-form.implicit">implicit</label> </div> diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java index b11da98d2..565023c79 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java @@ -97,12 +97,7 @@ public class BlacklistAwareRedirectResolver implements RedirectResolver { * @return the strictMatch */ public boolean isStrictMatch() { - if (config.isHeartMode()) { - // HEART mode enforces strict matching - return true; - } else { - return strictMatch; - } + return strictMatch; } /** diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java index 0ad029a2b..9561175aa 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java @@ -120,8 +120,6 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt // make sure we don't have both a JWKS and a JWKS URI ensureKeyConsistency(client); - // check consistency when using HEART mode - checkHeartMode(client); // timestamp this to right now client.setCreatedAt(new Date()); @@ -192,117 +190,6 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt } } - /** - * If HEART mode is enabled, make sure the client meets the requirements: - * - Only one of authorization_code, implicit, or client_credentials can be used at a time - * - A redirect_uri must be registered with either authorization_code or implicit - * - A key must be registered - * - A client secret must not be generated - * - authorization_code and client_credentials must use the private_key authorization method - * @param client - */ - private void checkHeartMode(ClientDetailsEntity client) { - if (config.isHeartMode()) { - if (client.getGrantTypes().contains("authorization_code")) { - // make sure we don't have incompatible grant types - if (client.getGrantTypes().contains("implicit") || client.getGrantTypes().contains("client_credentials")) { - throw new IllegalArgumentException("[HEART mode] Incompatible grant types"); - } - - // make sure we've got the right authentication method - if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { - throw new IllegalArgumentException("[HEART mode] Authorization code clients must use the private_key authentication method"); - } - - // make sure we've got a redirect URI - if (client.getRedirectUris().isEmpty()) { - throw new IllegalArgumentException("[HEART mode] Authorization code clients must register at least one redirect URI"); - } - } - - if (client.getGrantTypes().contains("implicit")) { - // make sure we don't have incompatible grant types - if (client.getGrantTypes().contains("authorization_code") || client.getGrantTypes().contains("client_credentials") || client.getGrantTypes().contains("refresh_token")) { - throw new IllegalArgumentException("[HEART mode] Incompatible grant types"); - } - - // make sure we've got the right authentication method - if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { - throw new IllegalArgumentException("[HEART mode] Implicit clients must use the none authentication method"); - } - - // make sure we've got a redirect URI - if (client.getRedirectUris().isEmpty()) { - throw new IllegalArgumentException("[HEART mode] Implicit clients must register at least one redirect URI"); - } - } - - if (client.getGrantTypes().contains("client_credentials")) { - // make sure we don't have incompatible grant types - if (client.getGrantTypes().contains("authorization_code") || client.getGrantTypes().contains("implicit") || client.getGrantTypes().contains("refresh_token")) { - throw new IllegalArgumentException("[HEART mode] Incompatible grant types"); - } - - // make sure we've got the right authentication method - if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { - throw new IllegalArgumentException("[HEART mode] Client credentials clients must use the private_key authentication method"); - } - - // make sure we've got a redirect URI - if (!client.getRedirectUris().isEmpty()) { - throw new IllegalArgumentException("[HEART mode] Client credentials clients must not register a redirect URI"); - } - - } - - if (client.getGrantTypes().contains("password")) { - throw new IllegalArgumentException("[HEART mode] Password grant type is forbidden"); - } - - // make sure we don't have a client secret - if (!Strings.isNullOrEmpty(client.getClientSecret())) { - throw new IllegalArgumentException("[HEART mode] Client secrets are not allowed"); - } - - // make sure we've got a key registered - if (client.getJwks() == null && Strings.isNullOrEmpty(client.getJwksUri())) { - throw new IllegalArgumentException("[HEART mode] All clients must have a key registered"); - } - - // make sure our redirect URIs each fit one of the allowed categories - if (client.getRedirectUris() != null && !client.getRedirectUris().isEmpty()) { - boolean localhost = false; - boolean remoteHttps = false; - boolean customScheme = false; - for (String uri : client.getRedirectUris()) { - UriComponents components = UriComponentsBuilder.fromUriString(uri).build(); - if (components.getScheme() == null) { - // this is a very unknown redirect URI - customScheme = true; - } else if (components.getScheme().equals("http")) { - // http scheme, check for localhost - if (components.getHost().equals("localhost") || components.getHost().equals("127.0.0.1")) { - localhost = true; - } else { - throw new IllegalArgumentException("[HEART mode] Can't have an http redirect URI on non-local host"); - } - } else if (components.getScheme().equals("https")) { - remoteHttps = true; - } else { - customScheme = true; - } - } - - // now we make sure the client has a URI in only one of each of the three categories - if (!((localhost ^ remoteHttps ^ customScheme) - && !(localhost && remoteHttps && customScheme))) { - throw new IllegalArgumentException("[HEART mode] Can't have more than one class of redirect URI"); - } - } - - } - } - /** * Get the client by its internal ID */ @@ -387,9 +274,6 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt // make sure we don't have both a JWKS and a JWKS URI ensureKeyConsistency(newClient); - // check consistency when using HEART mode - checkHeartMode(newClient); - // check the sector URI checkSectorIdentifierUri(newClient); @@ -423,12 +307,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt */ @Override public ClientDetailsEntity generateClientSecret(ClientDetailsEntity client) { - if (config.isHeartMode()) { - log.error("[HEART mode] Can't generate a client secret, skipping step; client won't be saved due to invalid configuration"); - client.setClientSecret(null); - } else { - client.setClientSecret(Base64.encodeBase64URLSafeString(new BigInteger(512, new SecureRandom()).toByteArray()).replace("=", "")); - } + client.setClientSecret(Base64.encodeBase64URLSafeString(new BigInteger(512, new SecureRandom()).toByteArray()).replace("=", "")); return client; } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java index ed29d96ff..a4f05cd7a 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java @@ -1,27 +1,17 @@ package cz.muni.ics.oauth2.service.impl; import cz.muni.ics.oauth2.model.ClientDetailsEntity; -import cz.muni.ics.oauth2.model.enums.AuthMethod; import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; -import java.math.BigInteger; -import java.security.SecureRandom; import java.util.Collection; import java.util.HashSet; public class ServiceUtils { public static UserDetails getUserDetails(String decodedClientId, ClientDetailsEntity client, String encodedPassword, ConfigurationPropertiesBean config, GrantedAuthority roleClient) { - if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets - (client.getTokenEndpointAuthMethod() != null && - (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) || - client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) { - encodedPassword = new BigInteger(512, new SecureRandom()).toString(16); - } - Collection<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities()); authorities.add(roleClient); diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/assertion/JWTBearerAuthenticationProvider.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/assertion/JWTBearerAuthenticationProvider.java index c5612dae6..0cda0b2c5 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/assertion/JWTBearerAuthenticationProvider.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/assertion/JWTBearerAuthenticationProvider.java @@ -123,11 +123,6 @@ public class JWTBearerAuthenticationProvider implements AuthenticationProvider { || alg.equals(JWSAlgorithm.HS384) || alg.equals(JWSAlgorithm.HS512)))) { - // double-check the method is asymmetrical if we're in HEART mode - if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { - throw new AuthenticationServiceException("[HEART mode] Invalid authentication method"); - } - JWTSigningAndValidationService validator = validators.getValidator(client, alg); if (validator == null) { diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/config/ConfigurationPropertiesBean.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/config/ConfigurationPropertiesBean.java index 510f8d275..7572ec9e4 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/config/ConfigurationPropertiesBean.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/config/ConfigurationPropertiesBean.java @@ -51,7 +51,6 @@ public class ConfigurationPropertiesBean implements InitializingBean { private Locale locale = Locale.ENGLISH; // we default to the english translation private List<String> languageNamespaces = Lists.newArrayList("messages"); private boolean dualClient = false; - private boolean heartMode = false; private boolean allowCompleteDeviceCodeUri = false; public ConfigurationPropertiesBean() { } @@ -154,11 +153,7 @@ public class ConfigurationPropertiesBean implements InitializingBean { } public boolean isDualClient() { - if (isHeartMode()) { - return false; // HEART mode is incompatible with dual client mode - } else { - return dualClient; - } + return dualClient; } public void setDualClient(boolean dualClient) { @@ -173,14 +168,6 @@ public class ConfigurationPropertiesBean implements InitializingBean { return getLanguageNamespaces().get(0); } - public boolean isHeartMode() { - return heartMode; - } - - public void setHeartMode(boolean heartMode) { - this.heartMode = heartMode; - } - public boolean isAllowCompleteDeviceCodeUri() { return allowCompleteDeviceCodeUri; } diff --git a/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java b/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java index 65bbc38cc..e0fd77787 100644 --- a/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java +++ b/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java @@ -134,17 +134,4 @@ public class TestBlacklistAwareRedirectResolver { } - @Test - public void testHeartMode() { - // this is not an exact match - boolean res1 = resolver.redirectMatches(pathUri, goodUri, AppType.WEB); - - assertThat(res1, is(false)); - - // this is an exact match - boolean res2 = resolver.redirectMatches(goodUri, goodUri, AppType.WEB); - - assertThat(res2, is(true)); - } - } diff --git a/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java b/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java index 7953d1a6a..2b55817d4 100644 --- a/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java +++ b/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java @@ -127,9 +127,6 @@ public class TestDefaultOAuth2ClientDetailsEntityService { // we're not testing reserved scopes here, just pass through when it's called Mockito.when(scopeService.removeReservedScopes(ArgumentMatchers.anySet())).then(AdditionalAnswers.returnsFirstArg()); - - Mockito.when(config.isHeartMode()).thenReturn(false); - } /** @@ -345,270 +342,4 @@ public class TestDefaultOAuth2ClientDetailsEntityService { assertThat(client.getScope().contains(SystemScopeService.OFFLINE_ACCESS), is(equalTo(false))); } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_authcode_invalidGrants() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("authorization_code"); - grantTypes.add("implicit"); - grantTypes.add("client_credentials"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setRedirectUris(Sets.newHashSet("https://foo.bar/")); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_implicit_invalidGrants() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("implicit"); - grantTypes.add("authorization_code"); - grantTypes.add("client_credentials"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.NONE); - - client.setRedirectUris(Sets.newHashSet("https://foo.bar/")); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_clientcreds_invalidGrants() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("client_credentials"); - grantTypes.add("authorization_code"); - grantTypes.add("implicit"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_authcode_authMethod() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("authorization_code"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.SECRET_POST); - - client.setRedirectUris(Sets.newHashSet("https://foo.bar/")); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_implicit_authMethod() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("implicit"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setRedirectUris(Sets.newHashSet("https://foo.bar/")); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_clientcreds_authMethod() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("client_credentials"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC); - - client.setRedirectUris(Sets.newHashSet("https://foo.bar/")); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_authcode_redirectUris() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("authorization_code"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_implicit_redirectUris() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("implicit"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.NONE); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_clientcreds_redirectUris() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("client_credentials"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setRedirectUris(Sets.newHashSet("http://foo.bar/")); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_clientSecret() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("authorization_code"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setRedirectUris(Sets.newHashSet("http://foo.bar/")); - - client.setClientSecret("secret!"); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_noJwks() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("authorization_code"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setRedirectUris(Sets.newHashSet("https://foo.bar/")); - - client.setJwks(null); - client.setJwksUri(null); - - service.saveNewClient(client); - - } - - @Test - public void heartMode_validAuthcodeClient() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("authorization_code"); - grantTypes.add("refresh_token"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setRedirectUris(Sets.newHashSet("https://foo.bar/")); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - assertThat(client.getClientId(), is(notNullValue(String.class))); - assertThat(client.getClientSecret(), is(nullValue())); - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_nonLocalHttpRedirect() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("authorization_code"); - grantTypes.add("refresh_token"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setRedirectUris(Sets.newHashSet("http://foo.bar/")); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - } - - @Test(expected = IllegalArgumentException.class) - public void heartMode_multipleRedirectClass() { - Mockito.when(config.isHeartMode()).thenReturn(true); - - ClientDetailsEntity client = new ClientDetailsEntity(); - Set<String> grantTypes = new LinkedHashSet<>(); - grantTypes.add("authorization_code"); - grantTypes.add("refresh_token"); - client.setGrantTypes(grantTypes); - - client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY); - - client.setRedirectUris(Sets.newHashSet("http://localhost/", "https://foo.bar", "foo://bar")); - - client.setJwksUri("https://foo.bar/jwks"); - - service.saveNewClient(client); - - } } diff --git a/perun-oidc-server/src/test/java/cz/muni/ics/openid/connect/assertion/TestJWTBearerAuthenticationProvider.java b/perun-oidc-server/src/test/java/cz/muni/ics/openid/connect/assertion/TestJWTBearerAuthenticationProvider.java index e4b1b64b7..366b16804 100644 --- a/perun-oidc-server/src/test/java/cz/muni/ics/openid/connect/assertion/TestJWTBearerAuthenticationProvider.java +++ b/perun-oidc-server/src/test/java/cz/muni/ics/openid/connect/assertion/TestJWTBearerAuthenticationProvider.java @@ -196,20 +196,6 @@ public class TestJWTBearerAuthenticationProvider { } } - @Test - public void should_throw_AuthenticationServiceException_for_SignedJWT_when_in_heart_mode_and_auth_method_is_not_PRIVATE_KEY() { - SignedJWT signedJWT = createSignedJWT(JWSAlgorithm.HS256); - when(token.getJwt()).thenReturn(signedJWT); - when(client.getTokenEndpointAuthSigningAlg()).thenReturn(JWSAlgorithm.HS256); - when(config.isHeartMode()).thenReturn(true); - when(client.getTokenEndpointAuthMethod()).thenReturn(AuthMethod.SECRET_JWT); - - Throwable thrown = authenticateAndReturnThrownException(); - - assertThat(thrown, instanceOf(AuthenticationServiceException.class)); - assertThat(thrown.getMessage(), is("[HEART mode] Invalid authentication method")); - } - @Test public void should_throw_AuthenticationServiceException_for_SignedJWT_when_null_validator() { mockSignedJWTAuthAttempt(); -- GitLab