Reactive Opaque Token Support
Fixes: gh-6513
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -13,16 +13,8 @@
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.web.server;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatCode;
|
||||
import static org.hamcrest.core.StringStartsWith.startsWith;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.anyString;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.when;
|
||||
package org.springframework.security.config.web.server;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.math.BigInteger;
|
||||
@@ -32,18 +24,22 @@ import java.security.interfaces.RSAPublicKey;
|
||||
import java.security.spec.InvalidKeySpecException;
|
||||
import java.security.spec.RSAPublicKeySpec;
|
||||
import java.time.Instant;
|
||||
import java.util.Base64;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.Optional;
|
||||
import java.util.stream.Collectors;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import javax.annotation.PreDestroy;
|
||||
|
||||
import okhttp3.mockwebserver.Dispatcher;
|
||||
import okhttp3.mockwebserver.MockResponse;
|
||||
import okhttp3.mockwebserver.MockWebServer;
|
||||
import okhttp3.mockwebserver.RecordedRequest;
|
||||
import org.apache.http.HttpHeaders;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
|
||||
@@ -53,6 +49,7 @@ import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.core.convert.converter.Converter;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.authentication.AbstractAuthenticationToken;
|
||||
import org.springframework.security.authentication.ReactiveAuthenticationManager;
|
||||
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
|
||||
@@ -81,8 +78,14 @@ import org.springframework.web.context.support.GenericWebApplicationContext;
|
||||
import org.springframework.web.reactive.DispatcherHandler;
|
||||
import org.springframework.web.reactive.config.EnableWebFlux;
|
||||
|
||||
import okhttp3.mockwebserver.MockResponse;
|
||||
import okhttp3.mockwebserver.MockWebServer;
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatCode;
|
||||
import static org.hamcrest.core.StringStartsWith.startsWith;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.anyString;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
/**
|
||||
* Tests for {@link org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec}
|
||||
@@ -113,6 +116,22 @@ public class OAuth2ResourceServerSpecTests {
|
||||
Collections.singletonMap("alg", JwsAlgorithms.RS256),
|
||||
Collections.singletonMap("sub", "user"));
|
||||
|
||||
private String clientId = "client";
|
||||
private String clientSecret = "secret";
|
||||
private String active = "{\n" +
|
||||
" \"active\": true,\n" +
|
||||
" \"client_id\": \"l238j323ds-23ij4\",\n" +
|
||||
" \"username\": \"jdoe\",\n" +
|
||||
" \"scope\": \"read write dolphin\",\n" +
|
||||
" \"sub\": \"Z5O3upPC88QrAjx00dis\",\n" +
|
||||
" \"aud\": \"https://protected.example.net/resource\",\n" +
|
||||
" \"iss\": \"https://server.example.com/\",\n" +
|
||||
" \"exp\": 1419356238,\n" +
|
||||
" \"iat\": 1419350238,\n" +
|
||||
" \"extension_field\": \"twenty-seven\"\n" +
|
||||
" }";
|
||||
|
||||
|
||||
@Rule
|
||||
public final SpringTestRule spring = new SpringTestRule();
|
||||
|
||||
@@ -332,6 +351,18 @@ public class OAuth2ResourceServerSpecTests {
|
||||
.isInstanceOf(NoSuchBeanDefinitionException.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void introspectWhenValidThenReturnsOk() {
|
||||
this.spring.register(IntrospectionConfig.class, RootController.class).autowire();
|
||||
this.spring.getContext().getBean(MockWebServer.class)
|
||||
.setDispatcher(requiresAuth(clientId, clientSecret, active));
|
||||
|
||||
this.client.get()
|
||||
.headers(headers -> headers.setBearerAuth(this.messageReadToken))
|
||||
.exchange()
|
||||
.expectStatus().isOk();
|
||||
}
|
||||
|
||||
@EnableWebFlux
|
||||
@EnableWebFluxSecurity
|
||||
static class PublicKeyConfig {
|
||||
@@ -525,6 +556,37 @@ public class OAuth2ResourceServerSpecTests {
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebFlux
|
||||
@EnableWebFluxSecurity
|
||||
static class IntrospectionConfig {
|
||||
private MockWebServer mockWebServer = new MockWebServer();
|
||||
|
||||
@Bean
|
||||
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
|
||||
String introspectionUri = mockWebServer().url("/introspect").toString();
|
||||
|
||||
// @formatter:off
|
||||
http
|
||||
.oauth2ResourceServer()
|
||||
.opaqueToken()
|
||||
.introspectionUri(introspectionUri)
|
||||
.introspectionClientCredentials("client", "secret");
|
||||
// @formatter:on
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
MockWebServer mockWebServer() {
|
||||
return this.mockWebServer;
|
||||
}
|
||||
|
||||
@PreDestroy
|
||||
void shutdown() throws IOException {
|
||||
this.mockWebServer.shutdown();
|
||||
}
|
||||
}
|
||||
|
||||
@RestController
|
||||
static class RootController {
|
||||
@GetMapping
|
||||
@@ -538,6 +600,33 @@ public class OAuth2ResourceServerSpecTests {
|
||||
}
|
||||
}
|
||||
|
||||
private static Dispatcher requiresAuth(String username, String password, String response) {
|
||||
return new Dispatcher() {
|
||||
@Override
|
||||
public MockResponse dispatch(RecordedRequest request) {
|
||||
String authorization = request.getHeader(org.springframework.http.HttpHeaders.AUTHORIZATION);
|
||||
return Optional.ofNullable(authorization)
|
||||
.filter(a -> isAuthorized(authorization, username, password))
|
||||
.map(a -> ok(response))
|
||||
.orElse(unauthorized());
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
private static boolean isAuthorized(String authorization, String username, String password) {
|
||||
String[] values = new String(Base64.getDecoder().decode(authorization.substring(6))).split(":");
|
||||
return username.equals(values[0]) && password.equals(values[1]);
|
||||
}
|
||||
|
||||
private static MockResponse ok(String response) {
|
||||
return new MockResponse().setBody(response)
|
||||
.setHeader(org.springframework.http.HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
|
||||
}
|
||||
|
||||
private static MockResponse unauthorized() {
|
||||
return new MockResponse().setResponseCode(401);
|
||||
}
|
||||
|
||||
private static RSAPublicKey publicKey() throws NoSuchAlgorithmException, InvalidKeySpecException {
|
||||
String modulus = "26323220897278656456354815752829448539647589990395639665273015355787577386000316054335559633864476469390247312823732994485311378484154955583861993455004584140858982659817218753831620205191028763754231454775026027780771426040997832758235764611119743390612035457533732596799927628476322029280486807310749948064176545712270582940917249337311592011920620009965129181413510845780806191965771671528886508636605814099711121026468495328702234901200169245493126030184941412539949521815665744267183140084667383643755535107759061065656273783542590997725982989978433493861515415520051342321336460543070448417126615154138673620797";
|
||||
String exponent = "65537";
|
||||
|
||||
Reference in New Issue
Block a user