@Test
public void testInvalidEmailAddressDenied() throws IOException, ServletException {
googleReturnsUserinfo();
GoogleOauthFilter googleOauthFilter = filterNotYetAuthorised();
HttpServletResponse response = mock(HttpServletResponse.class);
HttpServletRequest request =
request(
"http",
"myserver.co.uk",
"webapp",
"oauth.html",
"state=http://myserver.co.uk/webapp/index.html?forename=brian&surname=may",
"code=4/b--2fGSRhhkub2d0wg7dZoNFUXLN.EluGs0IJqNIcOl05ti8ZT3b3nc9jcwI");
FilterChain chain = mock(FilterChain.class);
googleOauthFilter.doFilter(request, response, chain);
// we expect a redirect to the original page.
verify(response)
.sendRedirect("http://myserver.co.uk/webapp/index.html?forename=brian&surname=may");
verifyZeroInteractions(chain);
// now check the redirect contains a user principal.
response = mock(HttpServletResponse.class);
request =
request("http", "myserver.co.uk", "webapp", "index.html", "forename=brian", "surname=may");
when(userManager.getValidGmailAddresses())
.thenReturn(Arrays.asList("*****@*****.**"));
chain = mock(FilterChain.class);
googleOauthFilter.doFilter(request, response, chain);
verify(userManager).getValidGmailAddresses();
verifyNoMoreInteractions(userManager);
verify(response)
.sendError(
HttpServletResponse.SC_FORBIDDEN,
"User [email protected] is not allowed to access this resource.");
}
@Test
public void testUserDeniesFailsLogin() throws IOException, ServletException {
googleDeniesUserinfo();
GoogleOauthFilter googleOauthFilter = filterNotYetAuthorised();
HttpServletResponse response = mock(HttpServletResponse.class);
HttpServletRequest request =
request(
"http",
"myserver.co.uk",
"webapp",
"oauth.html",
"state=http://myserver.co.uk/webapp/index.html?forename=brian&surname=may",
"code=4/b--2fGSRhhkub2d0wg7dZoNFUXLN.EluGs0IJqNIcOl05ti8ZT3b3nc9jcwI");
FilterChain chain = mock(FilterChain.class);
googleOauthFilter.doFilter(request, response, chain);
// we expect a redirect to the original page.
verify(response)
.sendRedirect("http://myserver.co.uk/webapp/index.html?forename=brian&surname=may");
verifyZeroInteractions(chain);
// now check for a redirect to Google as authentication was denied.
response = mock(HttpServletResponse.class);
request =
request("http", "myserver.co.uk", "webapp", "index.html", "forename=brian", "surname=may");
chain = mock(FilterChain.class);
googleOauthFilter.doFilter(request, response, chain);
verifyZeroInteractions(userManager, chain);
verify(response)
.sendRedirect(
"https://accounts.google.com/o/oauth2/auth?client_id=my_id&redirect_uri=http://myserver.co.uk/webapp/oauth.html&response_type=code&scope=http://yetanotherscopse.com/scope%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email&state=http://myserver.co.uk/webapp/index.html?forename%3Dbrian%26surname%3Dmay");
}
protected void testSuccessfulLogin(List<String> validGmailAddresses)
throws IOException, ServletException {
googleReturnsUserinfo();
GoogleOauthFilter googleOauthFilter = filterNotYetAuthorised();
HttpServletResponse response = mock(HttpServletResponse.class);
HttpServletRequest request =
request(
"http",
"myserver.co.uk",
"webapp",
"oauth.html",
"state=http://myserver.co.uk/webapp/index.html?forename=brian&surname=may",
"code=4/b--2fGSRhhkub2d0wg7dZoNFUXLN.EluGs0IJqNIcOl05ti8ZT3b3nc9jcwI");
FilterChain chain = mock(FilterChain.class);
googleOauthFilter.doFilter(request, response, chain);
// we expect a redirect to the original page.
verify(response)
.sendRedirect("http://myserver.co.uk/webapp/index.html?forename=brian&surname=may");
verifyZeroInteractions(chain);
// now check the redirect contains a user principal.
response = mock(HttpServletResponse.class);
request =
request("http", "myserver.co.uk", "webapp", "index.html", "forename=brian", "surname=may");
when(userManager.getValidGmailAddresses()).thenReturn(validGmailAddresses);
when(userManager.isUserInRole("*****@*****.**", "guitarist")).thenReturn(true);
when(userManager.isUserInRole("*****@*****.**", "drummer")).thenReturn(false);
RequestStoringFilterChain requestStoringFilterChain = new RequestStoringFilterChain();
googleOauthFilter.doFilter(request, response, requestStoringFilterChain);
HttpServletRequest filterRequest = requestStoringFilterChain.getRequest();
verify(userManager)
.createNewUserIfRequired(
eq("*****@*****.**"), any(Userinfo.class), any(Credential.class));
assertNotNull("The filter chain was not called.", filterRequest);
assertNotNull("The user principal was not set.", filterRequest.getUserPrincipal());
assertEquals(
"The user principal had the wrong class",
OauthPrincipal.class,
filterRequest.getUserPrincipal().getClass());
OauthPrincipal oauthPrincipal = (OauthPrincipal) filterRequest.getUserPrincipal();
assertTrue(
"The user was not found to be in the correct group.",
filterRequest.isUserInRole("guitarist"));
assertFalse(
"The user was found to be in the wrong group.", filterRequest.isUserInRole("drummer"));
assertEquals(
"The user principal had the wrong email address",
"*****@*****.**",
oauthPrincipal.getUserinfo().getEmail());
}
protected GoogleOauthFilter filterNotYetAuthorised() throws IOException, ServletException {
GoogleOauthFilter googleOauthFilter = createFilter("http://yetanotherscopse.com/scope");
FilterChain chain = mock(FilterChain.class);
HttpServletRequest request =
request("http", "myserver.co.uk", "webapp", "index.html", "forename=brian", "surname=may");
HttpServletResponse response = mock(HttpServletResponse.class);
class SendRedirectAnswer implements Answer<Object> {
String url;
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
url = (String) invocation.getArguments()[0];
return null;
}
}
SendRedirectAnswer sendRedirectAnswer = new SendRedirectAnswer();
doAnswer(sendRedirectAnswer).when(response).sendRedirect(anyString());
googleOauthFilter.doFilter(request, response, chain);
// Expect a redirect with no chain interaction.
verifyZeroInteractions(chain);
verify(response).sendRedirect(anyString());
GenericUrl actualRedirectUrl = new GenericUrl(sendRedirectAnswer.url);
assertEquals(
"The authorisation token url had the wrong scheme.",
"https",
actualRedirectUrl.getScheme());
assertEquals(
"The authorisation token url had the wrong host.",
"accounts.google.com",
actualRedirectUrl.getHost());
assertEquals("The authorisation token url had the host.", -1, actualRedirectUrl.getPort());
assertThat(
"The authorisation token url had the path.",
actualRedirectUrl.getPathParts(),
contains("", "o", "oauth2", "auth"));
Function<Object, String> firstToStringFunction =
new Function<Object, String>() {
@SuppressWarnings("unchecked")
public String apply(Object value) {
return ((List<String>) value).get(0);
}
};
Map<String, String> parameters =
Maps.transformValues(actualRedirectUrl.getUnknownKeys(), firstToStringFunction);
assertThat(
"The authorisation token url had the wrong parameters.",
parameters.keySet(),
containsInAnyOrder("client_id", "redirect_uri", "response_type", "scope", "state"));
assertEquals("The wrong client ID was sent", "my_id", parameters.get("client_id"));
assertEquals(
"The wrong redirect URI was sent",
"http://myserver.co.uk/webapp/oauth.html",
parameters.get("redirect_uri"));
assertEquals("The wrong response type was sent", "code", parameters.get("response_type"));
assertThat(
"The wrong scopes were sent.",
Splitter.on(' ').split(parameters.get("scope")),
containsInAnyOrder(
"http://yetanotherscopse.com/scope",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/userinfo.email"));
assertEquals(
"The wrong state was sent",
"http://myserver.co.uk/webapp/index.html?forename=brian&surname=may",
parameters.get("state"));
return googleOauthFilter;
}
