From 481b54f9a51949024ba8e25331b348b4945ac1ef Mon Sep 17 00:00:00 2001
From: Dominik Frantisek Bucik <bucik@ics.muni.cz>
Date: Fri, 1 Mar 2024 13:49:35 +0100
Subject: [PATCH] =?UTF-8?q?refactor:=20=F0=9F=92=A1=20Remove=20HEART=20mod?=
=?UTF-8?q?e?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../main/webapp/WEB-INF/tags/copyright.tag | 1 -
.../src/main/webapp/WEB-INF/tags/header.tag | 3 -
.../src/main/webapp/resources/js/client.js | 78 ++---
.../webapp/resources/template/client.html | 10 +-
.../impl/BlacklistAwareRedirectResolver.java | 7 +-
...faultOAuth2ClientDetailsEntityService.java | 123 +-------
.../ics/oauth2/service/impl/ServiceUtils.java | 10 -
.../JWTBearerAuthenticationProvider.java | 5 -
.../config/ConfigurationPropertiesBean.java | 15 +-
.../TestBlacklistAwareRedirectResolver.java | 13 -
...faultOAuth2ClientDetailsEntityService.java | 269 ------------------
.../TestJWTBearerAuthenticationProvider.java | 14 -
12 files changed, 32 insertions(+), 516 deletions(-)
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag
index e05105f0c..c117d17ce 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag
@@ -2,7 +2,6 @@
<%@ tag import="org.springframework.web.context.support.WebApplicationContextUtils" %>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<c:if test="${ config.heartMode }"><span class="pull-left"><img src="resources/images/heart_mode.png" alt="HEART Mode" title="This server is running in HEART Compliance Mode" /></span> </c:if>
<%
PerunOidcConfig perunOidcConfig = WebApplicationContextUtils.getWebApplicationContext(application).getBean("perunOidcConfig", PerunOidcConfig.class);
%>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/header.tag b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
index 78b270f8f..55972c19d 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
@@ -73,9 +73,6 @@
return false;
}
}
-
- var heartMode = ${config.heartMode};
-
</script>
</head>
diff --git a/perun-oidc-server-webapp/src/main/webapp/resources/js/client.js b/perun-oidc-server-webapp/src/main/webapp/resources/js/client.js
index 90912bd1b..0cbd97cbc 100644
--- a/perun-oidc-server-webapp/src/main/webapp/resources/js/client.js
+++ b/perun-oidc-server-webapp/src/main/webapp/resources/js/client.js
@@ -1256,7 +1256,6 @@ var ClientFormView = Backbone.View.extend({
render: function (eventName) {
var data = {
client: this.model.toJSON(),
- heartMode: heartMode,
};
$(this.el).html(this.template(data));
@@ -1560,60 +1559,33 @@ ui.routes.push({
contacts.push(userInfo.email);
}
- // use a different set of defaults based on heart mode flag
- if (heartMode) {
- client.set(
- {
- tokenEndpointAuthMethod: "PRIVATE_KEY",
- generateClientSecret: true,
- requireAuthTime: true,
- defaultMaxAge: 60000,
- scope: _.uniq(
- _.flatten(app.systemScopeList.defaultScopes().pluck("value")),
- ),
- accessTokenValiditySeconds: 3600,
- refreshTokenValiditySeconds: 24 * 3600,
- idTokenValiditySeconds: 300,
- deviceCodeValiditySeconds: 30 * 60,
- grantTypes: ["authorization_code"],
- responseTypes: ["code"],
- subjectType: "PUBLIC",
- jwksType: "URI",
- contacts: contacts,
- },
- {
- silent: true,
- },
- );
- } else {
// set up this new client to require a secret and have us
// autogenerate one
- client.set(
- {
- tokenEndpointAuthMethod: "SECRET_BASIC",
- introspectionEndpointAuthMethod: "SECRET_BASIC",
- revocationEndpointAuthMethod: "SECRET_BASIC",
- deviceEndpointAuthMethod: "SECRET_BASIC",
- generateClientSecret: true,
- requireAuthTime: true,
- defaultMaxAge: 60000,
- scope: _.uniq(
- _.flatten(app.systemScopeList.defaultScopes().pluck("value")),
- ),
- accessTokenValiditySeconds: 3600,
- idTokenValiditySeconds: 600,
- deviceCodeValiditySeconds: 30 * 60,
- grantTypes: ["authorization_code"],
- responseTypes: ["code"],
- subjectType: "PUBLIC",
- jwksType: "URI",
- contacts: contacts,
- },
- {
- silent: true,
- },
- );
- }
+ client.set(
+ {
+ tokenEndpointAuthMethod: "SECRET_BASIC",
+ introspectionEndpointAuthMethod: "SECRET_BASIC",
+ revocationEndpointAuthMethod: "SECRET_BASIC",
+ deviceEndpointAuthMethod: "SECRET_BASIC",
+ generateClientSecret: true,
+ requireAuthTime: true,
+ defaultMaxAge: 60000,
+ scope: _.uniq(
+ _.flatten(app.systemScopeList.defaultScopes().pluck("value")),
+ ),
+ accessTokenValiditySeconds: 3600,
+ idTokenValiditySeconds: 600,
+ deviceCodeValiditySeconds: 30 * 60,
+ grantTypes: ["authorization_code"],
+ responseTypes: ["code"],
+ subjectType: "PUBLIC",
+ jwksType: "URI",
+ contacts: contacts,
+ },
+ {
+ silent: true,
+ },
+ );
$("#content").html(view.render().el);
setPageTitle($.t("client.client-form.new"));
diff --git a/perun-oidc-server-webapp/src/main/webapp/resources/template/client.html b/perun-oidc-server-webapp/src/main/webapp/resources/template/client.html
index e41f522b9..24d46286d 100644
--- a/perun-oidc-server-webapp/src/main/webapp/resources/template/client.html
+++ b/perun-oidc-server-webapp/src/main/webapp/resources/template/client.html
@@ -384,27 +384,25 @@
<div class="controls">
<div>
- <input id="grantTypes-authorization_code" <%= heartMode ? 'type="radio" name="grantType"' : 'type="checkbox"' %>
+ <input id="grantTypes-authorization_code" type="checkbox">
<%-($.inArray("authorization_code", client.grantTypes) > -1 ? 'checked' : '')%>>
<label for="grantTypes-authorization_code" class="checkbox" data-i18n="client.client-form.authorization-code">authorization code</label>
</div>
<div>
- <input id="grantTypes-client_credentials" <%= heartMode ? 'type="radio" name="grantType"' : 'type="checkbox"' %>
+ <input id="grantTypes-client_credentials" type="checkbox">
<%-($.inArray("client_credentials", client.grantTypes) > -1 ? 'checked' : '')%>>
<label for="grantTypes-client_credentials" class="checkbox" data-i18n="client.client-form.client-credentials">client credentials</label>
</div>
- <% if (!heartMode) { // disable password on heart mode %>
<div>
- <input id="grantTypes-password" type="checkbox"
+ <input id="grantTypes-password" type="checkbox">
<%-($.inArray("password", client.grantTypes) > -1 ? 'checked' : '')%>>
<label for="grantTypes-password" class="checkbox" data-i18n="client.client-form.password">password</label>
</div>
- <% } %>
<div>
- <input id="grantTypes-implicit" <%= heartMode ? 'type="radio" name="grantType"' : 'type="checkbox"' %>
+ <input id="grantTypes-implicit" type="checkbox">
<%-($.inArray("implicit", client.grantTypes) > -1 ? 'checked' : '')%>>
<label for="grantTypes-implicit" class="checkbox" data-i18n="client.client-form.implicit">implicit</label>
</div>
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java
index b11da98d2..565023c79 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java
@@ -97,12 +97,7 @@ public class BlacklistAwareRedirectResolver implements RedirectResolver {
* @return the strictMatch
*/
public boolean isStrictMatch() {
- if (config.isHeartMode()) {
- // HEART mode enforces strict matching
- return true;
- } else {
- return strictMatch;
- }
+ return strictMatch;
}
/**
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
index 0ad029a2b..9561175aa 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
@@ -120,8 +120,6 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
// make sure we don't have both a JWKS and a JWKS URI
ensureKeyConsistency(client);
- // check consistency when using HEART mode
- checkHeartMode(client);
// timestamp this to right now
client.setCreatedAt(new Date());
@@ -192,117 +190,6 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
}
}
- /**
- * If HEART mode is enabled, make sure the client meets the requirements:
- * - Only one of authorization_code, implicit, or client_credentials can be used at a time
- * - A redirect_uri must be registered with either authorization_code or implicit
- * - A key must be registered
- * - A client secret must not be generated
- * - authorization_code and client_credentials must use the private_key authorization method
- * @param client
- */
- private void checkHeartMode(ClientDetailsEntity client) {
- if (config.isHeartMode()) {
- if (client.getGrantTypes().contains("authorization_code")) {
- // make sure we don't have incompatible grant types
- if (client.getGrantTypes().contains("implicit") || client.getGrantTypes().contains("client_credentials")) {
- throw new IllegalArgumentException("[HEART mode] Incompatible grant types");
- }
-
- // make sure we've got the right authentication method
- if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
- throw new IllegalArgumentException("[HEART mode] Authorization code clients must use the private_key authentication method");
- }
-
- // make sure we've got a redirect URI
- if (client.getRedirectUris().isEmpty()) {
- throw new IllegalArgumentException("[HEART mode] Authorization code clients must register at least one redirect URI");
- }
- }
-
- if (client.getGrantTypes().contains("implicit")) {
- // make sure we don't have incompatible grant types
- if (client.getGrantTypes().contains("authorization_code") || client.getGrantTypes().contains("client_credentials") || client.getGrantTypes().contains("refresh_token")) {
- throw new IllegalArgumentException("[HEART mode] Incompatible grant types");
- }
-
- // make sure we've got the right authentication method
- if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
- throw new IllegalArgumentException("[HEART mode] Implicit clients must use the none authentication method");
- }
-
- // make sure we've got a redirect URI
- if (client.getRedirectUris().isEmpty()) {
- throw new IllegalArgumentException("[HEART mode] Implicit clients must register at least one redirect URI");
- }
- }
-
- if (client.getGrantTypes().contains("client_credentials")) {
- // make sure we don't have incompatible grant types
- if (client.getGrantTypes().contains("authorization_code") || client.getGrantTypes().contains("implicit") || client.getGrantTypes().contains("refresh_token")) {
- throw new IllegalArgumentException("[HEART mode] Incompatible grant types");
- }
-
- // make sure we've got the right authentication method
- if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
- throw new IllegalArgumentException("[HEART mode] Client credentials clients must use the private_key authentication method");
- }
-
- // make sure we've got a redirect URI
- if (!client.getRedirectUris().isEmpty()) {
- throw new IllegalArgumentException("[HEART mode] Client credentials clients must not register a redirect URI");
- }
-
- }
-
- if (client.getGrantTypes().contains("password")) {
- throw new IllegalArgumentException("[HEART mode] Password grant type is forbidden");
- }
-
- // make sure we don't have a client secret
- if (!Strings.isNullOrEmpty(client.getClientSecret())) {
- throw new IllegalArgumentException("[HEART mode] Client secrets are not allowed");
- }
-
- // make sure we've got a key registered
- if (client.getJwks() == null && Strings.isNullOrEmpty(client.getJwksUri())) {
- throw new IllegalArgumentException("[HEART mode] All clients must have a key registered");
- }
-
- // make sure our redirect URIs each fit one of the allowed categories
- if (client.getRedirectUris() != null && !client.getRedirectUris().isEmpty()) {
- boolean localhost = false;
- boolean remoteHttps = false;
- boolean customScheme = false;
- for (String uri : client.getRedirectUris()) {
- UriComponents components = UriComponentsBuilder.fromUriString(uri).build();
- if (components.getScheme() == null) {
- // this is a very unknown redirect URI
- customScheme = true;
- } else if (components.getScheme().equals("http")) {
- // http scheme, check for localhost
- if (components.getHost().equals("localhost") || components.getHost().equals("127.0.0.1")) {
- localhost = true;
- } else {
- throw new IllegalArgumentException("[HEART mode] Can't have an http redirect URI on non-local host");
- }
- } else if (components.getScheme().equals("https")) {
- remoteHttps = true;
- } else {
- customScheme = true;
- }
- }
-
- // now we make sure the client has a URI in only one of each of the three categories
- if (!((localhost ^ remoteHttps ^ customScheme)
- && !(localhost && remoteHttps && customScheme))) {
- throw new IllegalArgumentException("[HEART mode] Can't have more than one class of redirect URI");
- }
- }
-
- }
- }
-
/**
* Get the client by its internal ID
*/
@@ -387,9 +274,6 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
// make sure we don't have both a JWKS and a JWKS URI
ensureKeyConsistency(newClient);
- // check consistency when using HEART mode
- checkHeartMode(newClient);
-
// check the sector URI
checkSectorIdentifierUri(newClient);
@@ -423,12 +307,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
*/
@Override
public ClientDetailsEntity generateClientSecret(ClientDetailsEntity client) {
- if (config.isHeartMode()) {
- log.error("[HEART mode] Can't generate a client secret, skipping step; client won't be saved due to invalid configuration");
- client.setClientSecret(null);
- } else {
- client.setClientSecret(Base64.encodeBase64URLSafeString(new BigInteger(512, new SecureRandom()).toByteArray()).replace("=", ""));
- }
+ client.setClientSecret(Base64.encodeBase64URLSafeString(new BigInteger(512, new SecureRandom()).toByteArray()).replace("=", ""));
return client;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java
index ed29d96ff..a4f05cd7a 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java
@@ -1,27 +1,17 @@
package cz.muni.ics.oauth2.service.impl;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
-import cz.muni.ics.oauth2.model.enums.AuthMethod;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
-import java.math.BigInteger;
-import java.security.SecureRandom;
import java.util.Collection;
import java.util.HashSet;
public class ServiceUtils {
public static UserDetails getUserDetails(String decodedClientId, ClientDetailsEntity client, String encodedPassword, ConfigurationPropertiesBean config, GrantedAuthority roleClient) {
- if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
- (client.getTokenEndpointAuthMethod() != null &&
- (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
- client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
- encodedPassword = new BigInteger(512, new SecureRandom()).toString(16);
- }
-
Collection<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
authorities.add(roleClient);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/assertion/JWTBearerAuthenticationProvider.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/assertion/JWTBearerAuthenticationProvider.java
index c5612dae6..0cda0b2c5 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/assertion/JWTBearerAuthenticationProvider.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/assertion/JWTBearerAuthenticationProvider.java
@@ -123,11 +123,6 @@ public class JWTBearerAuthenticationProvider implements AuthenticationProvider {
|| alg.equals(JWSAlgorithm.HS384)
|| alg.equals(JWSAlgorithm.HS512)))) {
- // double-check the method is asymmetrical if we're in HEART mode
- if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
- throw new AuthenticationServiceException("[HEART mode] Invalid authentication method");
- }
-
JWTSigningAndValidationService validator = validators.getValidator(client, alg);
if (validator == null) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/config/ConfigurationPropertiesBean.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/config/ConfigurationPropertiesBean.java
index 510f8d275..7572ec9e4 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/config/ConfigurationPropertiesBean.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/config/ConfigurationPropertiesBean.java
@@ -51,7 +51,6 @@ public class ConfigurationPropertiesBean implements InitializingBean {
private Locale locale = Locale.ENGLISH; // we default to the english translation
private List<String> languageNamespaces = Lists.newArrayList("messages");
private boolean dualClient = false;
- private boolean heartMode = false;
private boolean allowCompleteDeviceCodeUri = false;
public ConfigurationPropertiesBean() { }
@@ -154,11 +153,7 @@ public class ConfigurationPropertiesBean implements InitializingBean {
}
public boolean isDualClient() {
- if (isHeartMode()) {
- return false; // HEART mode is incompatible with dual client mode
- } else {
- return dualClient;
- }
+ return dualClient;
}
public void setDualClient(boolean dualClient) {
@@ -173,14 +168,6 @@ public class ConfigurationPropertiesBean implements InitializingBean {
return getLanguageNamespaces().get(0);
}
- public boolean isHeartMode() {
- return heartMode;
- }
-
- public void setHeartMode(boolean heartMode) {
- this.heartMode = heartMode;
- }
-
public boolean isAllowCompleteDeviceCodeUri() {
return allowCompleteDeviceCodeUri;
}
diff --git a/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java b/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java
index 65bbc38cc..e0fd77787 100644
--- a/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java
+++ b/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java
@@ -134,17 +134,4 @@ public class TestBlacklistAwareRedirectResolver {
}
- @Test
- public void testHeartMode() {
- // this is not an exact match
- boolean res1 = resolver.redirectMatches(pathUri, goodUri, AppType.WEB);
-
- assertThat(res1, is(false));
-
- // this is an exact match
- boolean res2 = resolver.redirectMatches(goodUri, goodUri, AppType.WEB);
-
- assertThat(res2, is(true));
- }
-
}
diff --git a/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java b/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java
index 7953d1a6a..2b55817d4 100644
--- a/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java
+++ b/perun-oidc-server/src/test/java/cz/muni/ics/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java
@@ -127,9 +127,6 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
// we're not testing reserved scopes here, just pass through when it's called
Mockito.when(scopeService.removeReservedScopes(ArgumentMatchers.anySet())).then(AdditionalAnswers.returnsFirstArg());
-
- Mockito.when(config.isHeartMode()).thenReturn(false);
-
}
/**
@@ -345,270 +342,4 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
assertThat(client.getScope().contains(SystemScopeService.OFFLINE_ACCESS), is(equalTo(false)));
}
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_authcode_invalidGrants() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("authorization_code");
- grantTypes.add("implicit");
- grantTypes.add("client_credentials");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_implicit_invalidGrants() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("implicit");
- grantTypes.add("authorization_code");
- grantTypes.add("client_credentials");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.NONE);
-
- client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_clientcreds_invalidGrants() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("client_credentials");
- grantTypes.add("authorization_code");
- grantTypes.add("implicit");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_authcode_authMethod() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("authorization_code");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.SECRET_POST);
-
- client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_implicit_authMethod() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("implicit");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_clientcreds_authMethod() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("client_credentials");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
-
- client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_authcode_redirectUris() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("authorization_code");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_implicit_redirectUris() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("implicit");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.NONE);
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_clientcreds_redirectUris() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("client_credentials");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setRedirectUris(Sets.newHashSet("http://foo.bar/"));
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_clientSecret() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("authorization_code");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setRedirectUris(Sets.newHashSet("http://foo.bar/"));
-
- client.setClientSecret("secret!");
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_noJwks() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("authorization_code");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
-
- client.setJwks(null);
- client.setJwksUri(null);
-
- service.saveNewClient(client);
-
- }
-
- @Test
- public void heartMode_validAuthcodeClient() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("authorization_code");
- grantTypes.add("refresh_token");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- assertThat(client.getClientId(), is(notNullValue(String.class)));
- assertThat(client.getClientSecret(), is(nullValue()));
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_nonLocalHttpRedirect() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("authorization_code");
- grantTypes.add("refresh_token");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setRedirectUris(Sets.newHashSet("http://foo.bar/"));
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void heartMode_multipleRedirectClass() {
- Mockito.when(config.isHeartMode()).thenReturn(true);
-
- ClientDetailsEntity client = new ClientDetailsEntity();
- Set<String> grantTypes = new LinkedHashSet<>();
- grantTypes.add("authorization_code");
- grantTypes.add("refresh_token");
- client.setGrantTypes(grantTypes);
-
- client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
-
- client.setRedirectUris(Sets.newHashSet("http://localhost/", "https://foo.bar", "foo://bar"));
-
- client.setJwksUri("https://foo.bar/jwks");
-
- service.saveNewClient(client);
-
- }
}
diff --git a/perun-oidc-server/src/test/java/cz/muni/ics/openid/connect/assertion/TestJWTBearerAuthenticationProvider.java b/perun-oidc-server/src/test/java/cz/muni/ics/openid/connect/assertion/TestJWTBearerAuthenticationProvider.java
index e4b1b64b7..366b16804 100644
--- a/perun-oidc-server/src/test/java/cz/muni/ics/openid/connect/assertion/TestJWTBearerAuthenticationProvider.java
+++ b/perun-oidc-server/src/test/java/cz/muni/ics/openid/connect/assertion/TestJWTBearerAuthenticationProvider.java
@@ -196,20 +196,6 @@ public class TestJWTBearerAuthenticationProvider {
}
}
- @Test
- public void should_throw_AuthenticationServiceException_for_SignedJWT_when_in_heart_mode_and_auth_method_is_not_PRIVATE_KEY() {
- SignedJWT signedJWT = createSignedJWT(JWSAlgorithm.HS256);
- when(token.getJwt()).thenReturn(signedJWT);
- when(client.getTokenEndpointAuthSigningAlg()).thenReturn(JWSAlgorithm.HS256);
- when(config.isHeartMode()).thenReturn(true);
- when(client.getTokenEndpointAuthMethod()).thenReturn(AuthMethod.SECRET_JWT);
-
- Throwable thrown = authenticateAndReturnThrownException();
-
- assertThat(thrown, instanceOf(AuthenticationServiceException.class));
- assertThat(thrown.getMessage(), is("[HEART mode] Invalid authentication method"));
- }
-
@Test
public void should_throw_AuthenticationServiceException_for_SignedJWT_when_null_validator() {
mockSignedJWTAuthAttempt();
--
GitLab