ziver/zutil
1
0
Fork 0
Code Issues Pull requests Activity Actions

Added more test cases for OAuth and fixed osme issues

Browse source
This commit is contained in:
Ziver Koc 2020-11-22 01:28:36 +01:00
parent f65cb0e4c4
commit 6f7510ce42
5 changed files with 334 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/zutil/Timer.java
View file

@ -40,10 +40,12 @@ public class Timer {
/**
* Creates a new timer that in reset state.
* Create a new timer that will timeout in a specified amount of time from now.
*
* @param millisecond the time in milliseconds that the timeout should happen.
*/
public Timer(long milisec){
this.period = milisec;
public Timer(long millisecond){
this.period = millisecond;
reset();
}

6
src/zutil/net/http/page/oauth/OAuth2Registry.java
View file

@ -144,6 +144,8 @@ public class OAuth2Registry {
ClientRegister reg = getClientRegistry(clientId);
if (reg != null) {
boolean b1 = reg.accessTokens.containsKey(token);
boolean b2 = reg.accessTokens.get(token).hasTimedOut();
return reg.accessTokens.containsKey(token) &&
!reg.accessTokens.get(token).hasTimedOut();
}
@ -161,7 +163,7 @@ public class OAuth2Registry {
ClientRegister reg = getClientRegistry(clientId);
if (reg != null) {
reg.authCodes.put(code, new Timer(timeoutMillis));
reg.authCodes.put(code, new Timer(timeoutMillis).start());
return timeoutMillis;
}
return -1;
@ -174,7 +176,7 @@ public class OAuth2Registry {
ClientRegister reg = getClientRegistry(clientId);
if (reg != null) {
reg.accessTokens.put(token, new Timer(timeoutMillis));
reg.accessTokens.put(token, new Timer(timeoutMillis).start());
return timeoutMillis;
}
return -1;

50
src/zutil/net/http/page/oauth/OAuth2TokenPage.java
View file

@ -81,20 +81,20 @@ public class OAuth2TokenPage extends HttpJsonPage {
/** The request is missing a required parameter, includes an unsupported parameter value (other than grant type),
repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the
client, or is otherwise malformed. **/
protected static final String ERROR_INVALID_REQUEST = "invalid_request";
private static final String ERROR_INVALID_REQUEST = "invalid_request";
/** Client authentication failed (e.g., unknown client, no client authentication included, or unsupported
authentication method). **/
protected static final String ERROR_INVALID_CLIENT = "invalid_client";
authentication method). **/
private static final String ERROR_INVALID_CLIENT = "invalid_client";
/** The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to
another client. **/
protected static final String ERROR_INVALID_GRANT = "invalid_grant";
private static final String ERROR_INVALID_GRANT = "invalid_grant";
/** The authenticated client is not authorized to use this authorization grant type. **/
protected static final String ERROR_UNAUTHORIZED_CLIENT = "unauthorized_client";
private static final String ERROR_UNAUTHORIZED_CLIENT = "unauthorized_client";
/** The authorization grant type is not supported by the authorization server. **/
protected static final String ERROR_UNSUPPORTED_GRANT_TYPE = "unsupported_grant_type";
private static final String ERROR_UNSUPPORTED_GRANT_TYPE = "unsupported_grant_type";
/** The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. **/
protected static final String ERROR_INVALID_SCOPE = "invalid_scope";
private static final String ERROR_INVALID_SCOPE = "invalid_scope";
private Random random = new Random();
private OAuth2Registry registry;
@ -119,18 +119,48 @@ public class OAuth2TokenPage extends HttpJsonPage {
out.setHeader("Cache-Control", "no-store");
out.setHeader("Pragma", "no-cache");
// -----------------------------------------------
// Validate parameters
// -----------------------------------------------
DataNode jsonRes = new DataNode(DataNode.DataType.Map);
// Validate client_id
if (!request.containsKey("client_id"))
return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter client_id.");
return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter: client_id");
String clientId = request.get("client_id");
if (registry.isClientIdValid(clientId))
if (!registry.isClientIdValid(clientId))
return errorResponse(out, ERROR_INVALID_CLIENT , request.get("state"), "Invalid client_id value.");
// Validate code
if (!request.containsKey("code"))
return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter: code");
if (!registry.isAuthorizationCodeValid(clientId, request.get("code")))
return errorResponse(out, ERROR_INVALID_GRANT, request.get("state"), "Invalid authorization code value provided.");
return errorResponse(out, ERROR_INVALID_GRANT, request.get("state"), "Invalid authorization code value.");
// Validate redirect_uri
if (!request.containsKey("redirect_uri"))
return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter: redirect_uri");
// TODO: ensure that the "redirect_uri" parameter is present if the
// "redirect_uri" parameter was included in the initial authorization
// request as described in Section 4.1.1, and if included ensure that
// their values are identical.
// Validate grant_type
if (!request.containsKey("grant_type"))
return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter grant_type.");
// -----------------------------------------------
// Handle request
// -----------------------------------------------
String grantType = request.get("grant_type");

174
test/zutil/net/http/page/oauth/OAuth2AuthorizationPageTest.java Normal file
View file

@ -0,0 +1,174 @@
/*
* The MIT License (MIT)
*
* Copyright (c) 2020 Ziver Koc
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package zutil.net.http.page.oauth;
import org.junit.Before;
import org.junit.Test;
import zutil.net.http.HttpHeader;
import zutil.net.http.HttpTestUtil;
import zutil.net.http.HttpURL;
import java.io.IOException;
import static org.junit.Assert.*;
public class OAuth2AuthorizationPageTest {
private static final String VALID_CLIENT_ID = "12345";
private static final String VALID_REDIRECT_URI = "https://example.com";
private OAuth2Registry registry;
private OAuth2AuthorizationPage authPage;
@Before
public void init(){
registry = new OAuth2Registry();
authPage = new OAuth2AuthorizationPage(registry);
registry.addWhitelist(VALID_CLIENT_ID);
}
@Test
public void invalidRedirect() throws IOException {
HttpHeader reqHeader = new HttpHeader();
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
// redirect_uri and client_id not provided
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
// redirect_uri not provided
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
// redirect_uri is not a valid URL
reqHeader.setURLAttribute("redirect_uri", "invalid_url");
rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
// redirect_uri is not HTTPS
reqHeader.setURLAttribute("redirect_uri", "http://example.com");
rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
}
@Test
public void invalidClientId() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
// client_id not provided
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
}
@Test
public void errorInvalidRequest() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
// Missing response_type
assertEquals(302, rspHeader.getResponseStatusCode());
HttpURL url = new HttpURL(rspHeader.getHeader("Location"));
assertNull(url.getParameter("code"));
assertEquals("invalid_request", url.getParameter("error"));
// response_type is not code
reqHeader.setURLAttribute("response_type", "not_code");
rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(302, rspHeader.getResponseStatusCode());
assertNull(url.getParameter("code"));
assertEquals("invalid_request", url.getParameter("error"));
}
/** The client is not authorized to request an authorization code using this method. **/
@Test
public void errorUnauthorizedClient() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", "67890");
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
// Missing response_type
assertEquals(302, rspHeader.getResponseStatusCode());
HttpURL url = new HttpURL(rspHeader.getHeader("Location"));
assertNull(url.getParameter("code"));
assertEquals("unauthorized_client", url.getParameter("error"));
}
@Test
public void requestBasic() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("response_type", "code");
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(302, rspHeader.getResponseStatusCode());
HttpURL url = new HttpURL(rspHeader.getHeader("Location"));
assertEquals("example.com", url.getHost());
assertNotNull(url.getParameter("code"));
assertNull(url.getParameter("state"));
assertTrue(registry.isAuthorizationCodeValid("12345", url.getParameter("code")));
}
@Test
public void requestWithState() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("response_type", "code");
reqHeader.setURLAttribute("state", "app_state");
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(302, rspHeader.getResponseStatusCode());
HttpURL url = new HttpURL(rspHeader.getHeader("Location"));
assertEquals("app_state", url.getParameter("state"));
assertTrue(registry.isAuthorizationCodeValid("12345", url.getParameter("code")));
}
}

215
test/zutil/net/http/page/oauth/OAuth2TokenPageTest.java
View file

@ -26,147 +26,154 @@ package zutil.net.http.page.oauth;
import org.junit.Before;
import org.junit.Test;
import zutil.io.IOUtil;
import zutil.net.http.HttpHeader;
import zutil.net.http.HttpTestUtil;
import zutil.net.http.HttpURL;
import zutil.parser.DataNode;
import zutil.parser.json.JSONParser;
import java.io.IOException;
import java.net.MalformedURLException;
import static org.junit.Assert.*;
public class OAuth2TokenPageTest {
private static final String VALID_CLIENT_ID = "12345";
private static final String VALID_REDIRECT_URI = "https://example.com";
private static final String VALID_AUTH_CODE = "secret_code";
private static final String VALID_GRANT_TYPE = "authorization_code";
private OAuth2Registry registry;
private OAuth2AuthorizationPage authPage;
private OAuth2TokenPage tokenPage;
@Before
public void init(){
registry = new OAuth2Registry();
authPage = new OAuth2AuthorizationPage(registry);
tokenPage = new OAuth2TokenPage(registry);
registry.addWhitelist(VALID_CLIENT_ID);
registry.registerAuthorizationCode(VALID_CLIENT_ID, VALID_AUTH_CODE);
}
@Test
public void invalidRedirect() throws IOException {
registry.addWhitelist("12345");
HttpHeader reqHeader = new HttpHeader();
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
// redirect_uri and client_id not provided
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
// redirect_uri not provided
reqHeader.setURLAttribute("client_id", "12345");
rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
// redirect_uri is not a valid URL
reqHeader.setURLAttribute("redirect_uri", "incorrect url");
rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
// redirect_uri is not HTTPS
reqHeader.setURLAttribute("redirect_uri", "http://example.com");
rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
}
@Test
public void invalidClientId() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("redirect_uri", "https://example.com");
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
// client_id not provided
assertEquals(400, rspHeader.getResponseStatusCode());
assertNull(rspHeader.getHeader("Location"));
}
/** The request is missing a required parameter, includes an invalid parameter value, includes a parameter
more than once, or is otherwise malformed. **/
@Test
public void errorInvalidRequest() throws IOException {
registry.addWhitelist("12345");
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", "12345");
reqHeader.setURLAttribute("redirect_uri", "https://example.com");
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
// Missing response_type
assertEquals(400, rspHeader.getResponseStatusCode());
DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertEquals("invalid_request", json.getString("error"));
assertEquals(302, rspHeader.getResponseStatusCode());
HttpURL url = new HttpURL(rspHeader.getHeader("Location"));
assertNull(url.getParameter("code"));
assertEquals("invalid_request", url.getParameter("error"));
// Missing grant_type
// response_type is not code
reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("code", VALID_AUTH_CODE);
rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
reqHeader.setURLAttribute("response_type", "not_code");
rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertEquals("invalid_request", json.getString("error"));
assertEquals(302, rspHeader.getResponseStatusCode());
assertNull(url.getParameter("code"));
assertEquals("invalid_request", url.getParameter("error"));
// Missing code
reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE);
rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertEquals("invalid_request", json.getString("error"));
// Missing redirect_uri
reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE);
reqHeader.setURLAttribute("code", VALID_AUTH_CODE);
rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertEquals("invalid_request", json.getString("error"));
// Missing client_id
reqHeader = new HttpHeader();
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE);
reqHeader.setURLAttribute("code", VALID_AUTH_CODE);
rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertEquals("invalid_request", json.getString("error"));
}
/** The client is not authorized to request an authorization code using this method. **/
@Test
public void errorUnauthorizedClient() throws IOException {
registry.addWhitelist("12345");
public void errorInvalidClient() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", "67890");
reqHeader.setURLAttribute("redirect_uri", "https://example.com");
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE);
reqHeader.setURLAttribute("code", VALID_AUTH_CODE);
HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
// Missing response_type
assertEquals(400, rspHeader.getResponseStatusCode());
DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertEquals("invalid_client", json.getString("error"));
assertEquals(302, rspHeader.getResponseStatusCode());
HttpURL url = new HttpURL(rspHeader.getHeader("Location"));
assertNull(url.getParameter("code"));
assertEquals("unauthorized_client", url.getParameter("error"));
}
@Test
public void errorInvalidGrant() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE);
reqHeader.setURLAttribute("code", "fake_code");
HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertEquals("invalid_grant", json.getString("error"));
}
@Test
public void errorUnsupportedGrantType() throws IOException {
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("grant_type", "fake_grant_type");
reqHeader.setURLAttribute("code", VALID_AUTH_CODE);
HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
assertEquals(400, rspHeader.getResponseStatusCode());
DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertEquals("unsupported_grant_type", json.getString("error"));
}
@Test
public void requestBasic() throws IOException {
registry.addWhitelist("12345");
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", "12345");
reqHeader.setURLAttribute("redirect_uri", "https://example.com");
reqHeader.setURLAttribute("response_type", "code");
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID);
reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI);
reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE);
reqHeader.setURLAttribute("code", VALID_AUTH_CODE);
HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader);
assertEquals(302, rspHeader.getResponseStatusCode());
HttpURL url = new HttpURL(rspHeader.getHeader("Location"));
assertEquals("example.com", url.getHost());
assertNotNull(url.getParameter("code"));
assertNull(url.getParameter("state"));
}
assertEquals(200, rspHeader.getResponseStatusCode());
assertEquals("application/json", rspHeader.getHeader("Content-Type"));
DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream()));
assertNotNull(json.getString("refresh_token"));
assertNotNull(json.getString("access_token"));
assertNotNull(json.getString("expires_in"));
assertEquals("bearer", json.getString("token_type"));
@Test
public void requestWithState() throws IOException {
registry.addWhitelist("12345");
HttpHeader reqHeader = new HttpHeader();
reqHeader.setURLAttribute("client_id", "12345");
reqHeader.setURLAttribute("redirect_uri", "https://example.com");
reqHeader.setURLAttribute("response_type", "code");
reqHeader.setURLAttribute("state", "app_state");
HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader);
assertEquals(302, rspHeader.getResponseStatusCode());
HttpURL url = new HttpURL(rspHeader.getHeader("Location"));
assertEquals("app_state", url.getParameter("state"));
assertTrue(registry.isAccessTokenValid(VALID_CLIENT_ID, json.getString("access_token")));
}
}