ACS-4751 Keycloak Migration - OAuth2 Client Role (#1798)

repository/src/test/java/org/alfresco/AllUnitTestsSuite.java

@@ -136,6 +136,7 @@ import org.junit.runners.Suite;
     org.alfresco.repo.search.impl.solr.facet.FacetQNameUtilsTest.class,
     org.alfresco.util.BeanExtenderUnitTest.class,
     org.alfresco.repo.solr.SOLRTrackingComponentUnitTest.class,
+    org.alfresco.repo.security.authentication.identityservice.SpringOAuth2ClientUnitTest.class,
     org.alfresco.repo.security.authentication.CompositePasswordEncoderTest.class,
     org.alfresco.repo.security.authentication.PasswordHashingTest.class,
     org.alfresco.repo.security.authority.script.ScriptAuthorityService_RegExTest.class,

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2018 Alfresco Software Limited
+ * Copyright (C) 2005 - 2023 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software.
  * If the software was purchased under a paid Alfresco license, the terms of
@@ -25,14 +25,17 @@
  */
 package org.alfresco.repo.security.authentication.identityservice;
 
+import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
 import java.net.ConnectException;
 
 import org.alfresco.error.ExceptionStackUtil;
 import org.alfresco.repo.security.authentication.AuthenticationContext;
 import org.alfresco.repo.security.authentication.AuthenticationException;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client.CredentialsVerificationException;
 import org.alfresco.repo.security.sync.UserRegistrySynchronizer;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.PersonService;
@@ -41,9 +44,6 @@ import org.alfresco.util.BaseSpringTest;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
-import org.keycloak.authorization.client.AuthzClient;
-import org.keycloak.authorization.client.util.HttpResponseException;
-import org.keycloak.representations.AccessTokenResponse;
 import org.springframework.beans.factory.annotation.Autowired;
 
 public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
@@ -65,7 +65,7 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
     @Autowired
     private PersonService personService;
 
-    private AuthzClient mockAuthzClient;
+    private OAuth2Client mockOAuth2Client;
 
     @Before
     public void setUp()
@@ -76,8 +76,8 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
         authComponent.setNodeService(nodeService);
         authComponent.setPersonService(personService);
 
-        mockAuthzClient = mock(AuthzClient.class);
-        authComponent.setAuthenticatorAuthzClient(mockAuthzClient);
+        mockOAuth2Client = mock(OAuth2Client.class);
+        authComponent.setOAuth2Client(mockOAuth2Client);
     }
 
     @After
@@ -89,8 +89,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
     @Test (expected=AuthenticationException.class)
     public void testAuthenticationFail()
     {
-        when(mockAuthzClient.obtainAccessToken("username", "password"))
-                .thenThrow(new HttpResponseException("Unauthorized", 401, "Unauthorized", null));
+        doThrow(new CredentialsVerificationException("Failed"))
+                .when(mockOAuth2Client)
+                .verifyCredentials("username", "password");
 
         authComponent.authenticateImpl("username", "password".toCharArray());
     }
@@ -98,8 +99,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
     @Test(expected = AuthenticationException.class)
     public void testAuthenticationFail_connectionException()
     {
-        when(mockAuthzClient.obtainAccessToken("username", "password")).thenThrow(
-                    new RuntimeException("Couldn't connect to server", new ConnectException("ConnectionRefused")));
+        doThrow(new CredentialsVerificationException("Couldn't connect to server", new ConnectException("ConnectionRefused")))
+                .when(mockOAuth2Client)
+                .verifyCredentials("username", "password");
 
         try
         {
@@ -116,8 +118,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
     @Test (expected=AuthenticationException.class)
     public void testAuthenticationFail_otherException()
     {
-        when(mockAuthzClient.obtainAccessToken("username", "password"))
-                    .thenThrow(new RuntimeException("Some other errors!"));
+        doThrow(new RuntimeException("Some other errors!"))
+                .when(mockOAuth2Client)
+                .verifyCredentials("username", "password");
 
         authComponent.authenticateImpl("username", "password".toCharArray());
     }
@@ -125,8 +128,7 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
     @Test
     public void testAuthenticationPass()
     {
-        when(mockAuthzClient.obtainAccessToken("username", "password"))
-                .thenReturn(new AccessTokenResponse());
+        doNothing().when(mockOAuth2Client).verifyCredentials("username", "password");
 
         authComponent.authenticateImpl("username", "password".toCharArray());
 
@@ -135,9 +137,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
     }
 
     @Test (expected= AuthenticationException.class)
-    public void testFallthroughWhenAuthzClientIsNull()
+    public void testFallthroughWhenOAuth2ClientIsNull()
     {
-        authComponent.setAuthenticatorAuthzClient(null);
+        authComponent.setOAuth2Client(null);
         authComponent.authenticateImpl("username", "password".toCharArray());
     }
 

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringOAuth2ClientUnitTest.java

@@ -0,0 +1,124 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice;
+
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.argThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.when;
+
+import java.util.function.Supplier;
+
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client.CredentialsVerificationException;
+import org.alfresco.repo.security.authentication.identityservice.OAuth2ClientFactoryBean.SpringOAuth2Client;
+import org.junit.Test;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+
+public class SpringOAuth2ClientUnitTest
+{
+    private static final String USER_NAME = "user";
+    private static final String PASSWORD = "password";
+
+    @Test
+    public void shouldRecoverFromInitialAuthorizationServerUnavailability()
+    {
+        final OAuth2AuthorizedClient authorizedClient = mock(OAuth2AuthorizedClient.class);
+        when(authorizedClient.getAccessToken()).thenReturn(mock(OAuth2AccessToken.class));
+        final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class);
+        when(authClientManager.authorize(any())).thenReturn(authorizedClient);
+
+        final SpringOAuth2Client client = new SpringOAuth2Client(faultySupplier(3, authClientManager));
+
+        assertThatExceptionOfType(CredentialsVerificationException.class)
+                .isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD))
+                .havingCause().withNoCause().withMessage("Expected failure #1");
+        verifyNoInteractions(authClientManager);
+
+        assertThatExceptionOfType(CredentialsVerificationException.class)
+                .isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD))
+                .havingCause().withNoCause().withMessage("Expected failure #2");
+        verifyNoInteractions(authClientManager);
+
+        assertThatExceptionOfType(CredentialsVerificationException.class)
+                .isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD))
+                .havingCause().withNoCause().withMessage("Expected failure #3");
+        verifyNoInteractions(authClientManager);
+
+        client.verifyCredentials(USER_NAME, PASSWORD);
+        verify(authClientManager).authorize(argThat(r -> r.getPrincipal() != null && USER_NAME.equals(r.getPrincipal().getPrincipal())));
+    }
+
+    @Test
+    public void shouldThrowVerificationExceptionOnFailure()
+    {
+        final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class);
+        when(authClientManager.authorize(any())).thenThrow(new RuntimeException("Expected"));
+
+        final SpringOAuth2Client client = new SpringOAuth2Client(() -> authClientManager);
+
+        assertThatExceptionOfType(CredentialsVerificationException.class)
+                .isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD))
+                .havingCause().withNoCause().withMessage("Expected");
+    }
+
+    @Test
+    public void shouldAvoidCreatingMultipleInstanceOfOAuth2AuthorizedClientManager()
+    {
+        final OAuth2AuthorizedClient authorizedClient = mock(OAuth2AuthorizedClient.class);
+        when(authorizedClient.getAccessToken()).thenReturn(mock(OAuth2AccessToken.class));
+        final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class);
+        when(authClientManager.authorize(any())).thenReturn(authorizedClient);
+        final Supplier<OAuth2AuthorizedClientManager> supplier = mock(Supplier.class);
+        when(supplier.get()).thenReturn(authClientManager);
+
+        final SpringOAuth2Client client = new SpringOAuth2Client(supplier);
+
+        client.verifyCredentials(USER_NAME, PASSWORD);
+        client.verifyCredentials(USER_NAME, PASSWORD);
+        client.verifyCredentials(USER_NAME, PASSWORD);
+        verify(supplier, times(1)).get();
+        verify(authClientManager, times(3)).authorize(any());
+    }
+
+    private Supplier<OAuth2AuthorizedClientManager> faultySupplier(int numberOfInitialFailures, OAuth2AuthorizedClientManager authClientManager)
+    {
+        final int[] counter = new int[]{0};
+        return () -> {
+            if (counter[0]++ < numberOfInitialFailures)
+            {
+                throw new RuntimeException("Expected failure #" + counter[0]);
+            }
+            return authClientManager;
+        };
+    }
+
+}