scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenRefresherTest.java

/*
 * MIT License
 *
 * Copyright (c) 2020-present Cloudogu GmbH and Contributors
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
    
package sonia.scm.security;

import com.github.sdorra.shiro.ShiroRule;
import com.github.sdorra.shiro.SubjectAware;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;

import java.sql.Date;
import java.time.Clock;
import java.time.Instant;
import java.util.Collections;
import java.util.Optional;

import static java.time.Duration.ofMinutes;
import static java.time.temporal.ChronoUnit.SECONDS;
import static java.util.concurrent.TimeUnit.MINUTES;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;

@SubjectAware(
  username = "user",
  password = "secret",
  configuration = "classpath:sonia/scm/repository/shiro.ini"
)
@RunWith(MockitoJUnitRunner.class)
public class JwtAccessTokenRefresherTest {

  private static final Instant NOW = Instant.now().truncatedTo(SECONDS);
  private static final Instant TOKEN_CREATION = NOW.minus(ofMinutes(1));

  @Rule
  public ShiroRule shiro = new ShiroRule();

  @Mock
  private SecureKeyResolver keyResolver;
  @Mock
  private JwtAccessTokenRefreshStrategy refreshStrategy;
  @Mock
  private Clock refreshClock;

  private KeyGenerator keyGenerator = () -> "key";

  private JwtAccessTokenRefresher refresher;
  private JwtAccessTokenBuilder tokenBuilder;

  @Before
  public void initKeyResolver() {
    when(keyResolver.getSecureKey(any())).thenReturn(createSecureKey());

    Clock creationClock = mock(Clock.class);
    when(creationClock.instant()).thenReturn(TOKEN_CREATION);
    tokenBuilder = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), creationClock).create();

    JwtAccessTokenBuilderFactory refreshBuilderFactory = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), refreshClock);
    refresher = new JwtAccessTokenRefresher(refreshBuilderFactory, refreshStrategy, refreshClock);
    when(refreshClock.instant()).thenReturn(NOW);
    when(refreshStrategy.shouldBeRefreshed(any())).thenReturn(true);

    // set default expiration values
    tokenBuilder
      .expiresIn(5, MINUTES)
      .refreshableFor(10, MINUTES);
  }

  @Test
  public void shouldNotRefreshTokenWithDisabledRefresh() {
    JwtAccessToken oldToken = tokenBuilder
      .refreshableFor(0, MINUTES)
      .build();

    Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);

    assertThat(refreshedToken).isEmpty();
  }

  @Test
  public void shouldNotRefreshTokenWhenTokenExpired() {
    Instant afterNormalExpiration = NOW.plus(ofMinutes(6));
    when(refreshClock.instant()).thenReturn(afterNormalExpiration);
    JwtAccessToken oldToken = tokenBuilder.build();

    Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);

    assertThat(refreshedToken).isEmpty();
  }

  @Test
  public void shouldNotRefreshTokenWhenRefreshExpired() {
    Instant afterRefreshExpiration = Instant.now().plus(ofMinutes(2));
    when(refreshClock.instant()).thenReturn(afterRefreshExpiration);
    JwtAccessToken oldToken = tokenBuilder
      .refreshableFor(1, MINUTES)
      .build();

    Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);

    assertThat(refreshedToken).isEmpty();
  }

  @Test
  public void shouldNotRefreshTokenWhenStrategyDoesNotSaySo() {
    JwtAccessToken oldToken = tokenBuilder.build();
    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(false);

    Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);

    assertThat(refreshedToken).isEmpty();
  }

  @Test
  public void shouldRefreshTokenWithParentId() {
    JwtAccessToken oldToken = tokenBuilder.build();
    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);

    Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);

    assertThat(refreshedTokenResult).isNotEmpty();
    JwtAccessToken refreshedToken = refreshedTokenResult.get();
    assertThat(refreshedToken.getParentKey()).get().isEqualTo("key");
  }

  @Test
  public void shouldRefreshTokenWithSameExpiration() {
    JwtAccessToken oldToken = tokenBuilder.build();
    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);

    Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);

    assertThat(refreshedTokenResult).isNotEmpty();
    JwtAccessToken refreshedToken = refreshedTokenResult.get();
    assertThat(refreshedToken.getExpiration()).isEqualTo(Date.from(NOW.plus(ofMinutes(5))));
  }

  @Test
  public void shouldRefreshTokenWithSameRefreshExpiration() {
    JwtAccessToken oldToken = tokenBuilder.build();
    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);

    Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);

    assertThat(refreshedTokenResult).isNotEmpty();
    JwtAccessToken refreshedToken = refreshedTokenResult.get();
    assertThat(refreshedToken.getRefreshExpiration()).get().isEqualTo(Date.from(TOKEN_CREATION.plus(ofMinutes(10))));
  }
}
Changeover to MIT license (#1066) * prepare license-maven-plugin for license migration * added license mapping for tsx files and added some more excludes * Changeover to MIT license * Fix build problems * Delete old remaining licenses * Add more exclude path for license checker * Rename included netbeans license, add exclude .m2/repository/ * Specify .m2 exclude because not only repository/, also wrapper/ must match * Add .cache/ exclude for license check * Modify formatting of license in java classes to comply with convention and IDE * Add IntelliJ documentation for license configuration * Update CHANGELOG.md * Exclude tmp/workspace/ dir for license check * Edit README.md Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com> 2020-03-23 15:35:58 +01:00			`/*`
			`* MIT License`
			`*`
			`* Copyright (c) 2020-present Cloudogu GmbH and Contributors`
			`*`
			`* Permission is hereby granted, free of charge, to any person obtaining a copy`
			`* of this software and associated documentation files (the "Software"), to deal`
			`* in the Software without restriction, including without limitation the rights`
			`* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell`
			`* copies of the Software, and to permit persons to whom the Software is`
			`* furnished to do so, subject to the following conditions:`
			`*`
			`* The above copyright notice and this permission notice shall be included in all`
			`* copies or substantial portions of the Software.`
			`*`
			`* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR`
			`* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,`
			`* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE`
			`* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER`
			`* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,`
			`* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE`
			`* SOFTWARE.`
			`*/`

First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`package sonia.scm.security;`

			`import com.github.sdorra.shiro.ShiroRule;`
			`import com.github.sdorra.shiro.SubjectAware;`
			`import org.junit.Before;`
			`import org.junit.Rule;`
			`import org.junit.Test;`
			`import org.junit.runner.RunWith;`
			`import org.mockito.Mock;`
			`import org.mockito.junit.MockitoJUnitRunner;`

Compute new expiration from old expiration 2018-11-30 10:05:43 +01:00			`import java.sql.Date;`
Fix time computations 2018-11-29 17:04:38 +01:00			`import java.time.Clock;`
			`import java.time.Instant;`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`import java.util.Collections;`
			`import java.util.Optional;`

Fix time computations 2018-11-29 17:04:38 +01:00			`import static java.time.Duration.ofMinutes;`
Compute new expiration from old expiration 2018-11-30 10:05:43 +01:00			`import static java.time.temporal.ChronoUnit.SECONDS;`
Fix time computations 2018-11-29 17:04:38 +01:00			`import static java.util.concurrent.TimeUnit.MINUTES;`
			`import static org.assertj.core.api.Assertions.assertThat;`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`import static org.mockito.ArgumentMatchers.any;`
Compute new expiration from old expiration 2018-11-30 10:05:43 +01:00			`import static org.mockito.Mockito.mock;`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`import static org.mockito.Mockito.when;`
Remove redundant key generation in tests 2018-11-30 11:26:23 +01:00			`import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00
			`@SubjectAware(`
			`username = "user",`
			`password = "secret",`
			`configuration = "classpath:sonia/scm/repository/shiro.ini"`
			`)`
			`@RunWith(MockitoJUnitRunner.class)`
			`public class JwtAccessTokenRefresherTest {`

Compute new expiration from old expiration 2018-11-30 10:05:43 +01:00			`private static final Instant NOW = Instant.now().truncatedTo(SECONDS);`
Inject clocks for tests 2018-11-30 09:43:13 +01:00			`private static final Instant TOKEN_CREATION = NOW.minus(ofMinutes(1));`

First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`@Rule`
			`public ShiroRule shiro = new ShiroRule();`

			`@Mock`
			`private SecureKeyResolver keyResolver;`
			`@Mock`
			`private JwtAccessTokenRefreshStrategy refreshStrategy;`
Fix time computations 2018-11-29 17:04:38 +01:00			`@Mock`
Inject clocks for tests 2018-11-30 09:43:13 +01:00			`private Clock refreshClock;`
Fix time computations 2018-11-29 17:04:38 +01:00
Set parent token id 2018-11-30 09:22:02 +01:00			`private KeyGenerator keyGenerator = () -> "key";`

First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`private JwtAccessTokenRefresher refresher;`
			`private JwtAccessTokenBuilder tokenBuilder;`

			`@Before`
			`public void initKeyResolver() {`
Remove redundant key generation in tests 2018-11-30 11:26:23 +01:00			`when(keyResolver.getSecureKey(any())).thenReturn(createSecureKey());`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00
Compute new expiration from old expiration 2018-11-30 10:05:43 +01:00			`Clock creationClock = mock(Clock.class);`
Inject clocks for tests 2018-11-30 09:43:13 +01:00			`when(creationClock.instant()).thenReturn(TOKEN_CREATION);`
Compute new expiration from old expiration 2018-11-30 10:05:43 +01:00			`tokenBuilder = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), creationClock).create();`

			`JwtAccessTokenBuilderFactory refreshBuilderFactory = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), refreshClock);`
			`refresher = new JwtAccessTokenRefresher(refreshBuilderFactory, refreshStrategy, refreshClock);`
Inject clocks for tests 2018-11-30 09:43:13 +01:00			`when(refreshClock.instant()).thenReturn(NOW);`
Fix time computations 2018-11-29 17:04:38 +01:00			`when(refreshStrategy.shouldBeRefreshed(any())).thenReturn(true);`
Set parent token id 2018-11-30 09:22:02 +01:00
			`// set default expiration values`
			`tokenBuilder`
			`.expiresIn(5, MINUTES)`
			`.refreshableFor(10, MINUTES);`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`}`

			`@Test`
			`public void shouldNotRefreshTokenWithDisabledRefresh() {`
			`JwtAccessToken oldToken = tokenBuilder`
Fix time computations 2018-11-29 17:04:38 +01:00			`.refreshableFor(0, MINUTES)`
			`.build();`

			`Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);`

			`assertThat(refreshedToken).isEmpty();`
			`}`

			`@Test`
			`public void shouldNotRefreshTokenWhenTokenExpired() {`
Inject clocks for tests 2018-11-30 09:43:13 +01:00			`Instant afterNormalExpiration = NOW.plus(ofMinutes(6));`
			`when(refreshClock.instant()).thenReturn(afterNormalExpiration);`
Set parent token id 2018-11-30 09:22:02 +01:00			`JwtAccessToken oldToken = tokenBuilder.build();`
Fix time computations 2018-11-29 17:04:38 +01:00
			`Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);`

			`assertThat(refreshedToken).isEmpty();`
			`}`

			`@Test`
			`public void shouldNotRefreshTokenWhenRefreshExpired() {`
Set parent token id 2018-11-30 09:22:02 +01:00			`Instant afterRefreshExpiration = Instant.now().plus(ofMinutes(2));`
Inject clocks for tests 2018-11-30 09:43:13 +01:00			`when(refreshClock.instant()).thenReturn(afterRefreshExpiration);`
Fix time computations 2018-11-29 17:04:38 +01:00			`JwtAccessToken oldToken = tokenBuilder`
			`.refreshableFor(1, MINUTES)`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`.build();`

			`Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);`

Fix time computations 2018-11-29 17:04:38 +01:00			`assertThat(refreshedToken).isEmpty();`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`}`

			`@Test`
			`public void shouldNotRefreshTokenWhenStrategyDoesNotSaySo() {`
Set parent token id 2018-11-30 09:22:02 +01:00			`JwtAccessToken oldToken = tokenBuilder.build();`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(false);`

			`Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);`

Fix time computations 2018-11-29 17:04:38 +01:00			`assertThat(refreshedToken).isEmpty();`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`}`

			`@Test`
Compute new expiration from old expiration 2018-11-30 10:05:43 +01:00			`public void shouldRefreshTokenWithParentId() {`
Set parent token id 2018-11-30 09:22:02 +01:00			`JwtAccessToken oldToken = tokenBuilder.build();`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);`

Inject clocks for tests 2018-11-30 09:43:13 +01:00			`Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00
Inject clocks for tests 2018-11-30 09:43:13 +01:00			`assertThat(refreshedTokenResult).isNotEmpty();`
			`JwtAccessToken refreshedToken = refreshedTokenResult.get();`
			`assertThat(refreshedToken.getParentKey()).get().isEqualTo("key");`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`}`
Compute new expiration from old expiration 2018-11-30 10:05:43 +01:00
			`@Test`
			`public void shouldRefreshTokenWithSameExpiration() {`
			`JwtAccessToken oldToken = tokenBuilder.build();`
			`when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);`

			`Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);`

			`assertThat(refreshedTokenResult).isNotEmpty();`
			`JwtAccessToken refreshedToken = refreshedTokenResult.get();`
			`assertThat(refreshedToken.getExpiration()).isEqualTo(Date.from(NOW.plus(ofMinutes(5))));`
			`}`
Keep refresh expiration 2018-11-30 10:15:12 +01:00
			`@Test`
			`public void shouldRefreshTokenWithSameRefreshExpiration() {`
			`JwtAccessToken oldToken = tokenBuilder.build();`
			`when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);`

			`Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);`

			`assertThat(refreshedTokenResult).isNotEmpty();`
			`JwtAccessToken refreshedToken = refreshedTokenResult.get();`
			`assertThat(refreshedToken.getRefreshExpiration()).get().isEqualTo(Date.from(TOKEN_CREATION.plus(ofMinutes(10))));`
			`}`
First steps for JWT refresh 2018-11-29 08:01:25 +01:00			`}`