@Test public void testInvalidEmailAddressDenied() throws IOException, ServletException { googleReturnsUserinfo(); GoogleOauthFilter googleOauthFilter = filterNotYetAuthorised(); HttpServletResponse response = mock(HttpServletResponse.class); HttpServletRequest request = request( "http", "myserver.co.uk", "webapp", "oauth.html", "state=http://myserver.co.uk/webapp/index.html?forename=brian&surname=may", "code=4/b--2fGSRhhkub2d0wg7dZoNFUXLN.EluGs0IJqNIcOl05ti8ZT3b3nc9jcwI"); FilterChain chain = mock(FilterChain.class); googleOauthFilter.doFilter(request, response, chain); // we expect a redirect to the original page. verify(response) .sendRedirect("http://myserver.co.uk/webapp/index.html?forename=brian&surname=may"); verifyZeroInteractions(chain); // now check the redirect contains a user principal. response = mock(HttpServletResponse.class); request = request("http", "myserver.co.uk", "webapp", "index.html", "forename=brian", "surname=may"); when(userManager.getValidGmailAddresses()) .thenReturn(Arrays.asList("*****@*****.**")); chain = mock(FilterChain.class); googleOauthFilter.doFilter(request, response, chain); verify(userManager).getValidGmailAddresses(); verifyNoMoreInteractions(userManager); verify(response) .sendError( HttpServletResponse.SC_FORBIDDEN, "User [email protected] is not allowed to access this resource."); }
@Test public void testUserDeniesFailsLogin() throws IOException, ServletException { googleDeniesUserinfo(); GoogleOauthFilter googleOauthFilter = filterNotYetAuthorised(); HttpServletResponse response = mock(HttpServletResponse.class); HttpServletRequest request = request( "http", "myserver.co.uk", "webapp", "oauth.html", "state=http://myserver.co.uk/webapp/index.html?forename=brian&surname=may", "code=4/b--2fGSRhhkub2d0wg7dZoNFUXLN.EluGs0IJqNIcOl05ti8ZT3b3nc9jcwI"); FilterChain chain = mock(FilterChain.class); googleOauthFilter.doFilter(request, response, chain); // we expect a redirect to the original page. verify(response) .sendRedirect("http://myserver.co.uk/webapp/index.html?forename=brian&surname=may"); verifyZeroInteractions(chain); // now check for a redirect to Google as authentication was denied. response = mock(HttpServletResponse.class); request = request("http", "myserver.co.uk", "webapp", "index.html", "forename=brian", "surname=may"); chain = mock(FilterChain.class); googleOauthFilter.doFilter(request, response, chain); verifyZeroInteractions(userManager, chain); verify(response) .sendRedirect( "https://accounts.google.com/o/oauth2/auth?client_id=my_id&redirect_uri=http://myserver.co.uk/webapp/oauth.html&response_type=code&scope=http://yetanotherscopse.com/scope%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email&state=http://myserver.co.uk/webapp/index.html?forename%3Dbrian%26surname%3Dmay"); }
protected void testSuccessfulLogin(List<String> validGmailAddresses) throws IOException, ServletException { googleReturnsUserinfo(); GoogleOauthFilter googleOauthFilter = filterNotYetAuthorised(); HttpServletResponse response = mock(HttpServletResponse.class); HttpServletRequest request = request( "http", "myserver.co.uk", "webapp", "oauth.html", "state=http://myserver.co.uk/webapp/index.html?forename=brian&surname=may", "code=4/b--2fGSRhhkub2d0wg7dZoNFUXLN.EluGs0IJqNIcOl05ti8ZT3b3nc9jcwI"); FilterChain chain = mock(FilterChain.class); googleOauthFilter.doFilter(request, response, chain); // we expect a redirect to the original page. verify(response) .sendRedirect("http://myserver.co.uk/webapp/index.html?forename=brian&surname=may"); verifyZeroInteractions(chain); // now check the redirect contains a user principal. response = mock(HttpServletResponse.class); request = request("http", "myserver.co.uk", "webapp", "index.html", "forename=brian", "surname=may"); when(userManager.getValidGmailAddresses()).thenReturn(validGmailAddresses); when(userManager.isUserInRole("*****@*****.**", "guitarist")).thenReturn(true); when(userManager.isUserInRole("*****@*****.**", "drummer")).thenReturn(false); RequestStoringFilterChain requestStoringFilterChain = new RequestStoringFilterChain(); googleOauthFilter.doFilter(request, response, requestStoringFilterChain); HttpServletRequest filterRequest = requestStoringFilterChain.getRequest(); verify(userManager) .createNewUserIfRequired( eq("*****@*****.**"), any(Userinfo.class), any(Credential.class)); assertNotNull("The filter chain was not called.", filterRequest); assertNotNull("The user principal was not set.", filterRequest.getUserPrincipal()); assertEquals( "The user principal had the wrong class", OauthPrincipal.class, filterRequest.getUserPrincipal().getClass()); OauthPrincipal oauthPrincipal = (OauthPrincipal) filterRequest.getUserPrincipal(); assertTrue( "The user was not found to be in the correct group.", filterRequest.isUserInRole("guitarist")); assertFalse( "The user was found to be in the wrong group.", filterRequest.isUserInRole("drummer")); assertEquals( "The user principal had the wrong email address", "*****@*****.**", oauthPrincipal.getUserinfo().getEmail()); }
protected GoogleOauthFilter filterNotYetAuthorised() throws IOException, ServletException { GoogleOauthFilter googleOauthFilter = createFilter("http://yetanotherscopse.com/scope"); FilterChain chain = mock(FilterChain.class); HttpServletRequest request = request("http", "myserver.co.uk", "webapp", "index.html", "forename=brian", "surname=may"); HttpServletResponse response = mock(HttpServletResponse.class); class SendRedirectAnswer implements Answer<Object> { String url; @Override public Object answer(InvocationOnMock invocation) throws Throwable { url = (String) invocation.getArguments()[0]; return null; } } SendRedirectAnswer sendRedirectAnswer = new SendRedirectAnswer(); doAnswer(sendRedirectAnswer).when(response).sendRedirect(anyString()); googleOauthFilter.doFilter(request, response, chain); // Expect a redirect with no chain interaction. verifyZeroInteractions(chain); verify(response).sendRedirect(anyString()); GenericUrl actualRedirectUrl = new GenericUrl(sendRedirectAnswer.url); assertEquals( "The authorisation token url had the wrong scheme.", "https", actualRedirectUrl.getScheme()); assertEquals( "The authorisation token url had the wrong host.", "accounts.google.com", actualRedirectUrl.getHost()); assertEquals("The authorisation token url had the host.", -1, actualRedirectUrl.getPort()); assertThat( "The authorisation token url had the path.", actualRedirectUrl.getPathParts(), contains("", "o", "oauth2", "auth")); Function<Object, String> firstToStringFunction = new Function<Object, String>() { @SuppressWarnings("unchecked") public String apply(Object value) { return ((List<String>) value).get(0); } }; Map<String, String> parameters = Maps.transformValues(actualRedirectUrl.getUnknownKeys(), firstToStringFunction); assertThat( "The authorisation token url had the wrong parameters.", parameters.keySet(), containsInAnyOrder("client_id", "redirect_uri", "response_type", "scope", "state")); assertEquals("The wrong client ID was sent", "my_id", parameters.get("client_id")); assertEquals( "The wrong redirect URI was sent", "http://myserver.co.uk/webapp/oauth.html", parameters.get("redirect_uri")); assertEquals("The wrong response type was sent", "code", parameters.get("response_type")); assertThat( "The wrong scopes were sent.", Splitter.on(' ').split(parameters.get("scope")), containsInAnyOrder( "http://yetanotherscopse.com/scope", "https://www.googleapis.com/auth/userinfo.profile", "https://www.googleapis.com/auth/userinfo.email")); assertEquals( "The wrong state was sent", "http://myserver.co.uk/webapp/index.html?forename=brian&surname=may", parameters.get("state")); return googleOauthFilter; }