ACS-6121 MNT-24007 Use issuer URI from the IdP (#2250)

2025-10-01 14:41:46 +00:00 · 2023-10-13 14:48:35 +02:00
parent 53c99a0ba4
commit 582fc8ec2d
2 changed files with 92 additions and 2 deletions
--- a/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBeanTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBeanTest.java
@@ -31,15 +31,20 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;

 import java.util.Map;
+import java.util.UUID;

 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBean.JwtDecoderProvider;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBean.JwtIssuerValidator;
 import org.junit.Test;
 import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;

 public class IdentityServiceFacadeFactoryBeanTest
 {
+    private static final String EXPECTED_ISSUER = "expected-issuer";
    @Test
    public void shouldCreateJwtDecoderWithoutIDSWhenPublicKeyIsProvided()
    {
@@ -62,4 +67,53 @@ public class IdentityServiceFacadeFactoryBeanTest
                          .containsEntry(USERNAME_CLAIM, "piotrek");
    }

+    @Test
+    public void shouldFailWithNotMatchingIssuerURIs()
+    {
+        final JwtIssuerValidator issuerValidator = new JwtIssuerValidator(EXPECTED_ISSUER);
+
+        final OAuth2TokenValidatorResult validationResult = issuerValidator.validate(tokenWithIssuer("different-issuer"));
+        assertThat(validationResult).isNotNull();
+        assertThat(validationResult.hasErrors()).isTrue();
+        assertThat(validationResult.getErrors()).hasSize(1);
+
+        final OAuth2Error error = validationResult.getErrors().iterator().next();
+        assertThat(error).isNotNull();
+        assertThat(error.getDescription()).contains(EXPECTED_ISSUER, "different-issuer");
+    }
+
+    @Test
+    public void shouldFailWithNullIssuerURI()
+    {
+        final JwtIssuerValidator issuerValidator = new JwtIssuerValidator(EXPECTED_ISSUER);
+
+        final OAuth2TokenValidatorResult validationResult = issuerValidator.validate(tokenWithIssuer(null));
+        assertThat(validationResult).isNotNull();
+        assertThat(validationResult.hasErrors()).isTrue();
+        assertThat(validationResult.getErrors()).hasSize(1);
+
+        final OAuth2Error error = validationResult.getErrors().iterator().next();
+        assertThat(error).isNotNull();
+        assertThat(error.getDescription()).contains(EXPECTED_ISSUER, "null");
+    }
+
+    @Test
+    public void shouldSucceedWithMatchingIssuerURI()
+    {
+        final JwtIssuerValidator issuerValidator = new JwtIssuerValidator(EXPECTED_ISSUER);
+
+        final OAuth2TokenValidatorResult validationResult = issuerValidator.validate(tokenWithIssuer(EXPECTED_ISSUER));
+        assertThat(validationResult).isNotNull();
+        assertThat(validationResult.hasErrors()).isFalse();
+        assertThat(validationResult.getErrors()).isEmpty();
+    }
+
+    private Jwt tokenWithIssuer(String issuer)
+    {
+        return Jwt.withTokenValue(UUID.randomUUID().toString())
+                  .issuer(issuer)
+                  .header("JUST", "FOR TESTING")
+                  .build();
+    }
+
 }