2020-03-23 15:35:58 +01:00
|
|
|
/*
|
|
|
|
|
* MIT License
|
|
|
|
|
*
|
|
|
|
|
* Copyright (c) 2020-present Cloudogu GmbH and Contributors
|
|
|
|
|
*
|
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
|
|
|
* in the Software without restriction, including without limitation the rights
|
|
|
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
|
|
|
* furnished to do so, subject to the following conditions:
|
|
|
|
|
*
|
|
|
|
|
* The above copyright notice and this permission notice shall be included in all
|
|
|
|
|
* copies or substantial portions of the Software.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
|
|
|
* SOFTWARE.
|
|
|
|
|
*/
|
|
|
|
|
|
2018-11-29 08:01:25 +01:00
|
|
|
package sonia.scm.security;
|
|
|
|
|
|
2021-02-09 14:30:49 +01:00
|
|
|
import org.apache.shiro.subject.Subject;
|
|
|
|
|
import org.apache.shiro.util.ThreadContext;
|
|
|
|
|
import org.junit.jupiter.api.AfterEach;
|
|
|
|
|
import org.junit.jupiter.api.BeforeEach;
|
|
|
|
|
import org.junit.jupiter.api.Test;
|
|
|
|
|
import org.junit.jupiter.api.extension.ExtendWith;
|
|
|
|
|
import org.mockito.Answers;
|
2018-11-29 08:01:25 +01:00
|
|
|
import org.mockito.Mock;
|
2021-02-09 14:30:49 +01:00
|
|
|
import org.mockito.junit.jupiter.MockitoExtension;
|
|
|
|
|
import sonia.scm.user.User;
|
2018-11-29 08:01:25 +01:00
|
|
|
|
2018-11-30 10:05:43 +01:00
|
|
|
import java.sql.Date;
|
2018-11-29 17:04:38 +01:00
|
|
|
import java.time.Clock;
|
|
|
|
|
import java.time.Instant;
|
2018-11-29 08:01:25 +01:00
|
|
|
import java.util.Collections;
|
|
|
|
|
import java.util.Optional;
|
|
|
|
|
|
2018-11-29 17:04:38 +01:00
|
|
|
import static java.time.Duration.ofMinutes;
|
2018-11-30 10:05:43 +01:00
|
|
|
import static java.time.temporal.ChronoUnit.SECONDS;
|
2018-11-29 17:04:38 +01:00
|
|
|
import static java.util.concurrent.TimeUnit.MINUTES;
|
|
|
|
|
import static org.assertj.core.api.Assertions.assertThat;
|
2018-11-29 08:01:25 +01:00
|
|
|
import static org.mockito.ArgumentMatchers.any;
|
2021-02-09 14:30:49 +01:00
|
|
|
import static org.mockito.Mockito.lenient;
|
2018-11-30 10:05:43 +01:00
|
|
|
import static org.mockito.Mockito.mock;
|
2018-11-29 08:01:25 +01:00
|
|
|
import static org.mockito.Mockito.when;
|
2018-11-30 11:26:23 +01:00
|
|
|
import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;
|
2018-11-29 08:01:25 +01:00
|
|
|
|
2021-02-09 14:30:49 +01:00
|
|
|
@ExtendWith(MockitoExtension.class)
|
2018-11-29 08:01:25 +01:00
|
|
|
public class JwtAccessTokenRefresherTest {
|
|
|
|
|
|
2018-11-30 10:05:43 +01:00
|
|
|
private static final Instant NOW = Instant.now().truncatedTo(SECONDS);
|
2018-11-30 09:43:13 +01:00
|
|
|
private static final Instant TOKEN_CREATION = NOW.minus(ofMinutes(1));
|
|
|
|
|
|
2018-11-29 08:01:25 +01:00
|
|
|
@Mock
|
|
|
|
|
private SecureKeyResolver keyResolver;
|
|
|
|
|
@Mock
|
|
|
|
|
private JwtAccessTokenRefreshStrategy refreshStrategy;
|
2018-11-29 17:04:38 +01:00
|
|
|
@Mock
|
2018-11-30 09:43:13 +01:00
|
|
|
private Clock refreshClock;
|
2021-02-09 14:30:49 +01:00
|
|
|
@Mock(answer = Answers.RETURNS_DEEP_STUBS)
|
|
|
|
|
private Subject subject;
|
2018-11-29 17:04:38 +01:00
|
|
|
|
2021-02-09 14:30:49 +01:00
|
|
|
private final KeyGenerator keyGenerator = () -> "key";
|
2018-11-30 09:22:02 +01:00
|
|
|
|
2018-11-29 08:01:25 +01:00
|
|
|
private JwtAccessTokenRefresher refresher;
|
|
|
|
|
private JwtAccessTokenBuilder tokenBuilder;
|
|
|
|
|
|
2021-02-09 14:30:49 +01:00
|
|
|
@BeforeEach
|
|
|
|
|
void initKeyResolver() {
|
2018-11-30 11:26:23 +01:00
|
|
|
when(keyResolver.getSecureKey(any())).thenReturn(createSecureKey());
|
2018-11-29 08:01:25 +01:00
|
|
|
|
2018-11-30 10:05:43 +01:00
|
|
|
Clock creationClock = mock(Clock.class);
|
2018-11-30 09:43:13 +01:00
|
|
|
when(creationClock.instant()).thenReturn(TOKEN_CREATION);
|
2018-11-30 10:05:43 +01:00
|
|
|
tokenBuilder = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), creationClock).create();
|
|
|
|
|
|
|
|
|
|
JwtAccessTokenBuilderFactory refreshBuilderFactory = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), refreshClock);
|
|
|
|
|
refresher = new JwtAccessTokenRefresher(refreshBuilderFactory, refreshStrategy, refreshClock);
|
2018-11-30 09:43:13 +01:00
|
|
|
when(refreshClock.instant()).thenReturn(NOW);
|
2021-02-09 14:30:49 +01:00
|
|
|
lenient().when(refreshStrategy.shouldBeRefreshed(any())).thenReturn(true);
|
2018-11-30 09:22:02 +01:00
|
|
|
|
|
|
|
|
// set default expiration values
|
|
|
|
|
tokenBuilder
|
|
|
|
|
.expiresIn(5, MINUTES)
|
|
|
|
|
.refreshableFor(10, MINUTES);
|
2018-11-29 08:01:25 +01:00
|
|
|
}
|
|
|
|
|
|
2021-02-09 14:30:49 +01:00
|
|
|
@BeforeEach
|
|
|
|
|
void initSubject() {
|
|
|
|
|
ThreadContext.bind(subject);
|
|
|
|
|
when(subject.getPrincipals().oneByType(Scope.class)).thenReturn(Scope.valueOf("trillian"));
|
|
|
|
|
when(subject.getPrincipal()).thenReturn(new User("trillian"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@AfterEach
|
|
|
|
|
void tearDownSubject() {
|
|
|
|
|
ThreadContext.unbindSubject();
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-29 08:01:25 +01:00
|
|
|
@Test
|
2021-02-09 14:30:49 +01:00
|
|
|
void shouldNotRefreshTokenWithDisabledRefresh() {
|
2018-11-29 08:01:25 +01:00
|
|
|
JwtAccessToken oldToken = tokenBuilder
|
2018-11-29 17:04:38 +01:00
|
|
|
.refreshableFor(0, MINUTES)
|
|
|
|
|
.build();
|
|
|
|
|
|
|
|
|
|
Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);
|
|
|
|
|
|
|
|
|
|
assertThat(refreshedToken).isEmpty();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
2021-02-09 14:30:49 +01:00
|
|
|
void shouldNotRefreshTokenWhenTokenExpired() {
|
2018-11-30 09:43:13 +01:00
|
|
|
Instant afterNormalExpiration = NOW.plus(ofMinutes(6));
|
|
|
|
|
when(refreshClock.instant()).thenReturn(afterNormalExpiration);
|
2018-11-30 09:22:02 +01:00
|
|
|
JwtAccessToken oldToken = tokenBuilder.build();
|
2018-11-29 17:04:38 +01:00
|
|
|
|
|
|
|
|
Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);
|
|
|
|
|
|
|
|
|
|
assertThat(refreshedToken).isEmpty();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
2021-02-09 14:30:49 +01:00
|
|
|
void shouldNotRefreshTokenWhenRefreshExpired() {
|
2018-11-30 09:22:02 +01:00
|
|
|
Instant afterRefreshExpiration = Instant.now().plus(ofMinutes(2));
|
2018-11-30 09:43:13 +01:00
|
|
|
when(refreshClock.instant()).thenReturn(afterRefreshExpiration);
|
2018-11-29 17:04:38 +01:00
|
|
|
JwtAccessToken oldToken = tokenBuilder
|
|
|
|
|
.refreshableFor(1, MINUTES)
|
2018-11-29 08:01:25 +01:00
|
|
|
.build();
|
|
|
|
|
|
|
|
|
|
Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);
|
|
|
|
|
|
2018-11-29 17:04:38 +01:00
|
|
|
assertThat(refreshedToken).isEmpty();
|
2018-11-29 08:01:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
2021-02-09 14:30:49 +01:00
|
|
|
void shouldNotRefreshTokenWhenStrategyDoesNotSaySo() {
|
2018-11-30 09:22:02 +01:00
|
|
|
JwtAccessToken oldToken = tokenBuilder.build();
|
2018-11-29 08:01:25 +01:00
|
|
|
when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(false);
|
|
|
|
|
|
|
|
|
|
Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);
|
|
|
|
|
|
2018-11-29 17:04:38 +01:00
|
|
|
assertThat(refreshedToken).isEmpty();
|
2018-11-29 08:01:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
2021-02-09 14:30:49 +01:00
|
|
|
void shouldRefreshTokenWithParentId() {
|
2018-11-30 09:22:02 +01:00
|
|
|
JwtAccessToken oldToken = tokenBuilder.build();
|
2018-11-29 08:01:25 +01:00
|
|
|
when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);
|
|
|
|
|
|
2018-11-30 09:43:13 +01:00
|
|
|
Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);
|
2018-11-29 08:01:25 +01:00
|
|
|
|
2018-11-30 09:43:13 +01:00
|
|
|
assertThat(refreshedTokenResult).isNotEmpty();
|
|
|
|
|
JwtAccessToken refreshedToken = refreshedTokenResult.get();
|
|
|
|
|
assertThat(refreshedToken.getParentKey()).get().isEqualTo("key");
|
2018-11-29 08:01:25 +01:00
|
|
|
}
|
2018-11-30 10:05:43 +01:00
|
|
|
|
|
|
|
|
@Test
|
2021-02-09 14:30:49 +01:00
|
|
|
void shouldRefreshTokenWithSameExpiration() {
|
2018-11-30 10:05:43 +01:00
|
|
|
JwtAccessToken oldToken = tokenBuilder.build();
|
|
|
|
|
when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);
|
|
|
|
|
|
|
|
|
|
Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);
|
|
|
|
|
|
|
|
|
|
assertThat(refreshedTokenResult).isNotEmpty();
|
|
|
|
|
JwtAccessToken refreshedToken = refreshedTokenResult.get();
|
|
|
|
|
assertThat(refreshedToken.getExpiration()).isEqualTo(Date.from(NOW.plus(ofMinutes(5))));
|
|
|
|
|
}
|
2018-11-30 10:15:12 +01:00
|
|
|
|
|
|
|
|
@Test
|
2021-02-09 14:30:49 +01:00
|
|
|
void shouldRefreshTokenWithSameRefreshExpiration() {
|
2018-11-30 10:15:12 +01:00
|
|
|
JwtAccessToken oldToken = tokenBuilder.build();
|
|
|
|
|
when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);
|
|
|
|
|
|
|
|
|
|
Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);
|
|
|
|
|
|
|
|
|
|
assertThat(refreshedTokenResult).isNotEmpty();
|
|
|
|
|
JwtAccessToken refreshedToken = refreshedTokenResult.get();
|
|
|
|
|
assertThat(refreshedToken.getRefreshExpiration()).get().isEqualTo(Date.from(TOKEN_CREATION.plus(ofMinutes(10))));
|
|
|
|
|
}
|
2018-11-29 08:01:25 +01:00
|
|
|
}
|
